bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS 1.11.5 Released <strong>(Security Update)</strong>

From: Derek Robert Price
Subject: Re: CVS 1.11.5 Released <strong>(Security Update)</strong>
Date: Mon, 20 Jan 2003 16:55:52 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 
Shankar Unni wrote:


CVS 1.11.5 has been released. This release fixes a major security
vulnerability in CVS. The Common Vulnerabilities and Exposures project
(cve.mitre.org <http://cve.mitre.org>) has assigned the name CAN-2003-0015 to this issue. See the text of CAN-2003-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015> for more 


information.


Looks like someone's marked the CVE entry as "reserved", so we have no
idea what this is about. There are literally 0 details on the CVE site,
except the candidate number (not even a one-line description or the
product affected).

Someone care to at least summarize what the vulnerability is?
The CVE data should show up soon. We were delaying update of the CVE site in order to make sure that a patch would be available before a general vulnerability announcement.
Without going into too much detail, the vulnerability allows read-only CVS users to execute arbitrary code as the user the CVS server executable is running as. 

Again, the CVE site should be updated with more detail soon.

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
73. ASCII a stupid question, get a stupid ANSI!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]