Fedora Test Update Notification: cvs

Jesse Keating jkeating at j2solutions.net
Fri Jun 11 02:14:53 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Fedora Test Update Notification
FEDORA-2004-1735
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1735
2004-06-10
- ---------------------------------------------------------------------
 
Name        : cvs
Version 7.3 : 1.11.1p1-16.legacy.2
Version 9   : 1.11.2-24.legacy
Summary     : A version control system.
Description :
CVS (Concurrent Version System) is a version control system that can
record the history of your files (usually, but not always, source
code). CVS only stores the differences between versions, instead of
every version of every file you have ever created. CVS also keeps a log
of who, when, and why changes occurred.
 
CVS is very helpful for managing releases and controlling the
concurrent editing of source files among multiple authors. Instead of
providing version control for a collection of files in a single
directory, CVS provides version control for a hierarchical collection
of directories consisting of revision controlled files. These
directories and files can then be combined together to form a software
release.
 
- ---------------------------------------------------------------------
Update Information:
 
While investigating a previously fixed vulnerability, Derek Price
discovered a flaw relating to malformed "Entry" lines which lead to a
missing NULL terminator. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue.
 
Stefan Esser and Sebastian Krahmer conducted an audit of CVS and fixed a
number of issues that may have had security consequences.
 
Among the issues deemed likely to be exploitable were:
 
- -- a double-free relating to the error_prog_name string (CAN-2004-0416)
- -- an argument integer overflow (CAN-2004-0417)
- -- out-of-bounds writes in serv_notify (CAN-2004-0418).
 
An attacker who has access to a CVS server may be able to execute arbitrary
code under the UID on which the CVS server is executing.
- ---------------------------------------------------------------------
Changelog:
 
7.3:

* Wed Jun 09 2004 Dave Botsch <dwb7 at ccmr.cornell.edu> 1.11.1p1-16.legacy
 
- - add patches from 2.1AS to fix CAN-2004-0416, 17, 18, 14 to legacy and
- - bump release
- - fix changelog order for May 25, 21 entries
- - add texinfo as buildprereq
 
* Fri May 28 2004 Nalin Dahyabhai <nalin at redhat.com> 1.11.1p1-16
 
- - add security fix for CAN-2004-0416,CAN-2004-0417,CAN-2004-0418 (Stefan 
Esser)
 
* Tue May 25 2004 Jesse Keating <jkeating at j2solutions.net> 
1.11.1p1-14.legacy.3
 
- - Added tcsh as a buildprereq.
 
9:

* Wed Jun 09 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.11.2-24.legacy
 
- - add security fix for CVE CAN-2004-0414 (Derek Price)
- - add security fix for CAN-2004-0416,CAN-2004-0417,CAN-2004-0418 (Stefan 
Esser)
 
- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/
 
d309756c60dcf33235581f2174db39fe103bac27  
7.3/updates-testing/SRPMS/cvs-1.11.1p1-16.legacy.2.src.rpm
9620756fc080096881f062b6272306a1ba57fb40  
7.3/updates-testing/i386/cvs-1.11.1p1-16.legacy.2.i386.rpm

ffa2ea4c2689dbbd304364a14517a0e9f1747be2  
9/updates-testing/SRPMS/cvs-1.11.2-24.legacy.src.rpm
9f3eac397a31464cc39bad75877e6f5a11c7c31d  
9/updates-testing/i386/cvs-1.11.2-24.legacy.i386.rpm
 
Please note that this update is also available via yum and apt through the 
updates-testing channel.  Many people find this an easier way to apply 
updates.
- ---------------------------------------------------------------------
- -- 
Jesse Keating RHCE	(http://geek.j2solutions.net)
Fedora Legacy Team	(http://www.fedoralegacy.org)
GPG Public Key		(http://geek.j2solutions.net/jkeating.j2solutions.pub)

Was I helpful?  Let others know:
 http://svcs.affero.net/rm.php?r=jkeating
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAyRWg4v2HLvE71NURAgq4AKCKgV2Xra/M6Te6f/FmAHpKr9H+DQCgwF2x
om6x9Ixo1nAOI10oA9KMP+0=
=lniu
-----END PGP SIGNATURE-----

More information about the fedora-legacy-list mailing list