CVS Review needed

Howard Owen hbo at egbok.com
Tue Jun 1 22:37:07 UTC 2004 

That's interesting. Red Hat hasn't seen fit to patch for CAN-2004-0405 
yet. (The latest sources for RHEL3 don't contain the code produced by the 
patch at 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch). The 
client.c code in the legacy srpm doesn't contain the fix, either. 
(src/client.c, call_in_directory() function, starting at line 997)

On Tue, 1 Jun 2004, Jim Popovitch wrote:

> 
> Well, for starters, CAN-2004-0414/0416/0417/0418 haven't been published
> yet.  CAN-2004-0396 is the most serious as it allows remote users to
> attack cvs servers.  CAN-2004-0180 is the reverse, it allows a malicious
> server to attack a user.  
> 
> RedHat's response to CAN-2004-0396
> http://rhn.redhat.com/errata/RHSA-2004-190.html
> 
> RedHat's response to CAN-2004-0180 (which also mentions CAN-2004-0405)
> http://rhn.redhat.com/errata/RHSA-2004-154.html
> 
> CAN-2004-0405(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405) is probably just as bad as CAN-2004-0396 and therefore both fixes need to be implemented in legacy.
> 
> So, according to Comment #19 (Daniel Drown) 2004-05-21, for bug 1620,
> cvs-1.11.1p1-9.7.legacy.src.rpm includes fixes for both CAN-2004-0396
> and CVE-2004-0180 (although Daniels' comments should be CAN-2004-0180
> not CVE-2004-0180).  Presumably this was carried forward into the 
> cvs-1.11.1p1-14.legacy.3.i386.rpm that exists in testing. ;)
> 
> hth,
> 
> -Jim P.
> 
> 
> On Tue, 2004-06-01 at 14:47, Jesse Keating wrote:
> > There is a sudden influx of CVS issues, and I'm not sure what all CVEs 
> > our packages address.  Can some of you check 
> > https://bugzilla.fedora.us/show_bug.cgi?id=1620 for the following CVE 
> > coverage:
> > 
> > CAN-2004-0180 CAN-2004-0396 CAN-2004-0414 CAN-2004-0416 CAN-2004-0417 
> > CAN-2004-0418
> > 
> > Thanks.
> 
> 
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list
> 
> 

-- 
Howard Owen                      "Even if you are on the right
EGBOK Consultants                 track, you'll get run over if you
hbo at egbok.com    +1-650-218-2216  just sit there." - Will Rogers

More information about the fedora-legacy-list mailing list