[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: <strong>CVS Security Vulnerability</strong>
From: |
Derek Robert Price |
Subject: |
Re: <strong>CVS Security Vulnerability</strong> |
Date: |
Tue, 25 May 2004 11:29:32 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Code reviews are being conducted by interested parties. Most of those
parties are not me and I have little information on their current
progress.
Derek
Richard Wesley wrote:
> Pardon me if this is an ignorant question, but is there going to be
a code audit starting from the date of the rooting of the server?
>
> At 5:08 PM -0400 5/24/04, Derek Robert Price wrote:
>
> Hi all,
>
> For those who don't know, cvshome.org is currently down because it was
> hacked, via its CVS server we believe. cvshome.org was used to send
> an email that contains an exploit for the security vulnerabiliy
> CAN-2004-0396
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396>
> patched in releases 1.11.16 & 1.12.8.
>
> The email with the exploit is here:
>
<http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c>.
>
> Our working theory is that cvshome.org was abused to send the email
> using a root kit installed prior to the patching of its CVS server for
> CAN-2004-0396.
>
> Note that this vulnerability requires a valid login id & password on
> the CVS server to exploit, but that even an anonymous & read-only
> account is sufficient. This vulnerability also applies to any CVS
> server, post-authentication. A CVS server accessed via pserver, ssh,
> or any other method will be equally vulnerable.
>
> I recommend that any CVS server running a release of CVS earlier than
> 1.11.16 or 1.12.8 be taken down immediately and patched.
>
> cvshome.org should be back up shortly but it may be some time before
> anonymous read-only access is reenabled. Thanks go out to the folks
> at CollabNet for all the time they have been spending on this.
>
> Derek
>
>>
>>
>>
_______________________________________________
Info-cvs mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/info-cvs
> Best regards,
> Richard Wesley
> Co-President, Electric Fish, Inc.
> <http://www.electricfish.com/>
> (v) +1-206-493-1690x210
> (f) +1-206-493-1697
> (h) +1-206-632-4536
> (m) +1-206-409-4536
- --
*8^)
Email: address@hidden
Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAs2ZbLD1OTBfyMaQRApgEAKDrQAI1yvkR0viU16BBB2nXglWdaQCgzMq4
K74+rS22JXFwon59wduQ7mg=
=aBj1
-----END PGP SIGNATURE-----