Gentoo Archives: gentoo-announce

From: Rajiv Aaron Manglani <rajiv@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] GLSA: cvs (200312-08)
Date: Mon, 29 Dec 2003 07:24:01
Message-Id: a05210601bc1585a2de17@[10.96.0.12]
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4
5 - --------------------------------------------------------------------------
6 GENTOO LINUX SECURITY ANNOUNCEMENT 200312-08
7 - --------------------------------------------------------------------------
8
9 GLSA: 200312-08
10 package: dev-util/cvs
11 summary: Fix for possible root compromise when using CVS pserver
12 severity: high
13 Gentoo bug: 36142
14 date: 2003-12-28
15 exploit: unknown
16 affected: <=1.11.10
17 fixed: >=1.11.11
18
19
20 DESCRIPTION:
21
22 Quote from <http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88>:
23
24 "Stable CVS 1.11.11 has been released. Stable releases contain only
25 bug fixes from previous versions of CVS. This release adds code to
26 the CVS server to prevent it from continuing as root after a user
27 login, as an extra failsafe against a compromise of the
28 CVSROOT/passwd file. Previously, any user with the ability to write
29 the CVSROOT/passwd file could execute arbitrary code as the root
30 user on systems with CVS pserver access enabled. We recommend this
31 upgrade for all CVS servers!"
32
33
34 SOLUTION:
35
36 All Gentoo Linux machines with cvs installed should be updated to use
37 cvs-1.11.11 or higher.
38
39 emerge sync
40 emerge -pv '>=dev-util/cvs-1.11.11'
41 emerge '>=dev-util/cvs-1.11.11'
42 emerge clean
43
44
45 // end
46
47 -----BEGIN PGP SIGNATURE-----
48 Version: GnuPG v1.2.3 (Darwin)
49
50 iD8DBQE/79SAnt0v0zAqOHYRAuWTAJ9UY/lAvsKQRtHLQZr/zDUf5eok6wCgumZt
51 ICbAjuPbALouwsdG16pqS6s=
52 =UQlf
53 -----END PGP SIGNATURE-----