| |||||||||||||
Conectiva alert CLA-2003:560 (cvs)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : cvs SUMMARY : Remote vulnerability DATE : 2003-01-21 15:46:00 ID : CLA-2003:560 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION CVS is a version control system largely used in software projects. During a code audit, Stefan Esser discovered a double free() vulnerability[2][3] in the CVS code. This vulnerability can be exploited by remote users, authenticated or anonymous, to execute arbitrary commands on the server. Please note that users with write access to CVS (the so called "commiters") usually already have shell access on the server, or can easily get shell access as has already been discussed elsewhere[4]. Besides fixing the double free vulnerability, the new packages provided with this update now have the Checkin-prog and Update-prog commands disabled. SOLUTION It is recommended that all CVS administrators upgrade their packages immediately. REFERENCES 1. http://www.cvshome.org/ 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 3. http://security.e-matters.de/advisories/012003.html 4. http://online.securityfocus.com/archive/1/72584 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/cvs-1.10.8-5U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-1.10.8-5U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-doc-1.10.8-5U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cvs-1.11-7U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-1.11-7U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-doc-1.11-7U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/cvs-1.11-9U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+LaI942jd0JmAcZARAmMNAJ4xnuDXLmUomJFGLLBtJuzLTSu4ggCfaDLF EA4lnoULB9YtnNBphn1zNW8= =XF94 -----END PGP SIGNATURE----- (Log in to post comments)
|
|||||||||||||