[gentoo-announce] UPDATE: [ GLSA 200504-16 ] CVS: Multiple vulnerabilities - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] UPDATE: [ GLSA 200504-16 ] CVS: Multiple vulnerabilities
Date:	Fri, 22 Apr 2005 11:33:08
Message-Id:	`200504221335.39571.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory [UPDATE]               GLSA 200504-16:02

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: CVS: Multiple vulnerabilities

9

      Date: April 18, 2005

10

   Updated: April 21, 2005

11

      Bugs: #86476

12

        ID: 200504-16:02

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Update

17

======

18

19

The initial version did not fix several DoS vulnerabilities and one

20

instance of arbitrary code execution. The arbitrary code execution was only

21

possible under very specific circumstances.

22

23

The updated sections appear below.

24

25

Affected packages

26

=================

27

28

    -------------------------------------------------------------------

29

     Package       /  Vulnerable  /                         Unaffected

30

    -------------------------------------------------------------------

31

  1  dev-util/cvs      < 1.11.20                            >= 1.11.20

32

33

Description

34

===========

35

36

Alen Zukich has discovered several serious security issues in CVS,

37

including at least one buffer overflow (CAN-2005-0753), memory leaks

38

and a NULL pointer dereferencing error. Furthermore when launching

39

trigger scripts CVS includes a user controlled directory.

40

41

Resolution

42

==========

43

44

All CVS users should upgrade to the latest version:

45

46

    # emerge --sync

47

    # emerge --ask --oneshot --verbose ">=dev-util/cvs-1.11.20"

48

49

Availability

50

============

51

52

This GLSA and any updates to it are available for viewing at

53

the Gentoo Security Website:

54

55

  http://security.gentoo.org/glsa/glsa-200504-16.xml

56

57

Concerns?

58

=========

59

60

Security is a primary focus of Gentoo Linux and ensuring the

61

confidentiality and security of our users machines is of utmost

62

importance to us. Any security concerns should be addressed to

63

security@g.o or alternatively, you may file a bug at

64

http://bugs.gentoo.org.

65

66

License

67

=======

68

69

Copyright 2005 Gentoo Foundation, Inc; referenced text

70

belongs to its owner(s).

71

72

The contents of this document are licensed under the

73

Creative Commons - Attribution / Share Alike license.

74

75

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory [UPDATE] GLSA 200504-16:02
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: CVS: Multiple vulnerabilities
9	Date: April 18, 2005
10	Updated: April 21, 2005
11	Bugs: #86476
12	ID: 200504-16:02
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Update
17	======
18
19	The initial version did not fix several DoS vulnerabilities and one
20	instance of arbitrary code execution. The arbitrary code execution was only
21	possible under very specific circumstances.
22
23	The updated sections appear below.
24
25	Affected packages
26	=================
27
28	-------------------------------------------------------------------
29	Package / Vulnerable / Unaffected
30	-------------------------------------------------------------------
31	1 dev-util/cvs < 1.11.20 >= 1.11.20
32
33	Description
34	===========
35
36	Alen Zukich has discovered several serious security issues in CVS,
37	including at least one buffer overflow (CAN-2005-0753), memory leaks
38	and a NULL pointer dereferencing error. Furthermore when launching
39	trigger scripts CVS includes a user controlled directory.
40
41	Resolution
42	==========
43
44	All CVS users should upgrade to the latest version:
45
46	# emerge --sync
47	# emerge --ask --oneshot --verbose ">=dev-util/cvs-1.11.20"
48
49	Availability
50	============
51
52	This GLSA and any updates to it are available for viewing at
53	the Gentoo Security Website:
54
55	http://security.gentoo.org/glsa/glsa-200504-16.xml
56
57	Concerns?
58	=========
59
60	Security is a primary focus of Gentoo Linux and ensuring the
61	confidentiality and security of our users machines is of utmost
62	importance to us. Any security concerns should be addressed to
63	security@g.o or alternatively, you may file a bug at
64	http://bugs.gentoo.org.
65
66	License
67	=======
68
69	Copyright 2005 Gentoo Foundation, Inc; referenced text
70	belongs to its owner(s).
71
72	The contents of this document are licensed under the
73	Creative Commons - Attribution / Share Alike license.
74
75	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce