I've run into this problem at my organization as well (MITRE), and here's
what I've found out:
The cvsweb script in Debian-SF is based on version 1.112 (which is several
revisions above 1.85, as you can see). The problem lies in how Nessus
determines the version of cvsweb: It uses an HTML comment in the generated
output of the cvsweb pages that contains an expanded $Revision$ CVS tag.
This is a very broken way of reporting the version, because the instant it
is checked into another CVS repository (as happened with Debian-SF) the
apparent version changes, and in our case effectively re-sets to 1.2. A
little research dug up that not only is version 1.2 very old, it was also
(as far as I can gather) in German, making it rather unfit for our purposes
here :). I'm not even sure if it was publicly released, actually. But that's
all a moot point. To answer, yes, the version is secure.
On another note, I've recently done some work to integrate Chora into our
version of SF here, but:
1) It's based on 2.5
2) It relies on a bunch of changes to the theme architecture
3) It also makes use of our security system
Thanks for the note
-- Justin
----- Original Message -----
From: "Lee Sheridan" <address@hidden>
To: <address@hidden>
Sent: Wednesday, April 09, 2003 12:59 PM
Subject: [Debian-sf-users] cvsweb and CVE-2000-0670
Hi. I'm setting up a SF site, based on the current debian-sf 2.6 out of
CVS.
Part of our local policy for newly network attached systems is an ISS or
Nessus scan. Nessus is complaining that "The remote cvsweb is older or
as old as version 1.85", and points to CVE-2000-0670.
The Bugtraq message is here:
http://www.securityfocus.com/archive/1/69942/2000-07-06/2000-07-12/0
Looking at the sf code, I see that parts of cvsweb were integrated into
the Debian tree.
Quoting /sourceforge-2.6/deb-specific/cvsweb/cvsweb.cgi:
# Based on:
# * Bill Fenners cvsweb.cgi revision 1.28 available from:
# http://www.freebsd.org/cgi/cvsweb.cgi/www/en/cgi/cvsweb.cgi
So my question is -- was this vulnerability patched in the debian-sf
branch of the cvsweb code, or irrelavent in the debian-sf code? I admit
to not being a good enough coder to confidently proclaim that I consider
it to be a false positive.
Thanks in advance.
--
Lee Sheridan 301.286.5898 voice
NASA / Goddard Space Flight Center address@hidden
Computer Sciences Corporation Building 28, Room S241
Code 931
_______________________________________________
Debian-sf-users mailing list
address@hidden
http://mail.nongnu.org/mailman/listinfo/debian-sf-users
_______________________________________________
Debian-sf-users mailing list
address@hidden
http://mail.nongnu.org/mailman/listinfo/debian-sf-users