1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
- -------------------------------------------------------------------------- |
6 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-08 |
7 |
- -------------------------------------------------------------------------- |
8 |
|
9 |
GLSA: 200312-08 |
10 |
package: dev-util/cvs |
11 |
summary: Fix for possible root compromise when using CVS pserver |
12 |
severity: high |
13 |
Gentoo bug: 36142 |
14 |
date: 2003-12-28 |
15 |
exploit: unknown |
16 |
affected: <=1.11.10 |
17 |
fixed: >=1.11.11 |
18 |
|
19 |
|
20 |
DESCRIPTION: |
21 |
|
22 |
Quote from <http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88>: |
23 |
|
24 |
"Stable CVS 1.11.11 has been released. Stable releases contain only |
25 |
bug fixes from previous versions of CVS. This release adds code to |
26 |
the CVS server to prevent it from continuing as root after a user |
27 |
login, as an extra failsafe against a compromise of the |
28 |
CVSROOT/passwd file. Previously, any user with the ability to write |
29 |
the CVSROOT/passwd file could execute arbitrary code as the root |
30 |
user on systems with CVS pserver access enabled. We recommend this |
31 |
upgrade for all CVS servers!" |
32 |
|
33 |
|
34 |
SOLUTION: |
35 |
|
36 |
All Gentoo Linux machines with cvs installed should be updated to use |
37 |
cvs-1.11.11 or higher. |
38 |
|
39 |
emerge sync |
40 |
emerge -pv '>=dev-util/cvs-1.11.11' |
41 |
emerge '>=dev-util/cvs-1.11.11' |
42 |
emerge clean |
43 |
|
44 |
|
45 |
// end |
46 |
|
47 |
-----BEGIN PGP SIGNATURE----- |
48 |
Version: GnuPG v1.2.3 (Darwin) |
49 |
|
50 |
iD8DBQE/79SAnt0v0zAqOHYRAuWTAJ9UY/lAvsKQRtHLQZr/zDUf5eok6wCgumZt |
51 |
ICbAjuPbALouwsdG16pqS6s= |
52 |
=UQlf |
53 |
-----END PGP SIGNATURE----- |