From secure@conectiva.com.br Thu Jan 23 14:31:00 2003 From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org Date: Thu, 23 Jan 2003 14:06:07 -0200 Subject: [CLA-2003:561] Conectiva Linux Security Announcement - cvs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : cvs SUMMARY : Update: cvs remote double free() vulnerability DATE : 2003-01-23 10:54:00 ID : CLA-2003:561 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION CVS is a version control system largely used in software projects. During a code audit, Stefan Esser discovered a double free() vulnerability[2][3] in the CVS code. This vulnerability can be exploited by remote users, authenticated or anonymous, to execute arbitrary commands on the server. Please note that users with write access to CVS (the so called "commiters") usually already have shell access on the server, or can easily get shell access as has already been discussed elsewhere[4]. Besides fixing the double free vulnerability, the new packages provided with this update now have the Checkin-prog and Update-prog commands disabled. UPDATE The previous CVS update (CLSA-2003:560), while indeed fixing the security vulnerability, introduced problems which prevented it from being used due to the way the Checkin-prog and Update-prog commands where disabled. This has now been fixed. SOLUTION It is recommended that all CVS administrators upgrade their packages immediately. REFERENCES 1. http://www.cvshome.org/ 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 3. http://security.e-matters.de/advisories/012003.html 4. http://online.securityfocus.com/archive/1/72584 5. http://bugzilla.conectiva.com/show_bug.cgi?id=7507 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/cvs-1.10.8-5U60_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-1.10.8-5U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-doc-1.10.8-5U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cvs-1.11-7U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-1.11-7U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-doc-1.11-7U70_3cl.i386.r ftp://atualizacoes.conectiva.com.br/8/SRPMS/cvs-1.11-9U80_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_3cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+MBLu42jd0JmAcZARApo8AKDKkKCiakoMGN50SmS26obBUn2/VgCg4vAB g4r9oSn0j9g4KTo3q2LQH98= =rn0z -----END PGP SIGNATURE-----