|| ||Jamie McCarthy <jamie-AT-slashdot.org>|
|| ||Security Advisory for CVS Slash|
|| ||Wed, 15 Dec 2004 11:03:56 -0500|
There has been a security issue in CVS Slash code for the last
couple of years which was found recently. This is something that
site administrators should be concerned about.
Slash is the CMS "blog" software which runs Slashdot.org and
numerous other websites. Slashdot, and the other Slash websites run
by OSTG, are not currently vulnerable.
We are urging all sites which are using a version of the code from
CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using
the 2.2.6 tarball, the latest official release, do not need to
upgrade (the issue is not present there).
Normally we do not make security announcements for CVS code, because
when we have found them in the past, the issues were extremely small
and/or fixed within days. This one has been around for a long time,
though, and affects many of the R_ tags which we have been
recommending sites use, so we're publicly urging site admins to
upgrade. (R_ tags in CVS are ones which we consider relatively
stable, while T_ tags should be used primarily for testing.)
This issue was found by Michael Krax <http://www.mikx.de/>>, who we
understand is working on publishing the details of the vulnerability
soon. We hope that motivates site admins to upgrade sites
immediately. We thank Mr. Krax for working with us by reporting
this vulnerability to us in a responsible manner.
In about a week, in any case, we will make the details public
ourselves and offer a patch which will allow you to secure your
sites without performing a full upgrade to R_2_5_0_41.
If you are using CVS code from June 2004 or earlier -- the x_2_3_*
tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_*
tag is nontrivial. What you'll want to do is
cvs update -r T_2_5_0_4 -dP
and then apply the upgrades file in the normal fashion, including
running utils/convertDBto200406 where it says to do so. Then
cvs update -r R_2_5_0_41 -dP
and continue applying the rest of the upgrades file.
Any questions about the upgrade process, or other comments on this
issue, can be posted on the Slashcode website story for this
or can be asked in the channel #slash on irc.slashnet.org. We'll
make a solid effort to help anyone upgrade who needs to.
However, for security reasons, we cannot reveal more details about
the issue until next week, when all sites have had a chance to
upgrade. Watch http://www.slashcode.com/ next week for full
disclosure. And if you run a Slash site and aren't already
subscribed to the slashcode-general mailing list, you should be:
Our apologies for this oversight. This is the first security
notification issued for Slash in over two years, but one is too
many, and we are reviewing our programming process to try to prevent
this from happening again.
Private questions about these issues can be addressed to me on IRC
(user "jamie" in #slash on irc.slashnet.org) or in email at
<email@example.com>; to notify us of additional security issues we
may not be aware of, please email <firstname.lastname@example.org>.
to post comments)