The Slackware Linux Project: Mailing List Info

Mailing List Info

News
Security Advisories
FAQ
Book
General Info
Get Slack
Install Help
Configuration
Packages
ChangeLogs
Propaganda
Ports
Other Sites
Support
Contact

Mailing Lists
Archives

About

From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] cvs security update (SSA:2004-108-02)
Date: Sun, 18 Apr 2004 16:40:41 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  cvs security update (SSA:2004-108-02)

CVS is a client/server version control system.  As a server, it
is used to host source code repositories.  As a client, it is
used to access such repositories.  This advisory affects both uses
of CVS.

A security problem which could allow a server to create arbitrary
files on a client machine, and another security problem which may
allow a client to view files outside of the CVS repository have
been fixed with the release of cvs-1.11.15.

Any sites running CVS should upgrade to the new CVS package.


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sat Apr 17 14:09:23 PDT 2004
patches/packages/cvs-1.11.15-i486-1.tgz:  Upgraded to cvs-1.11.15.
  Fixes two security problems (server creating arbitrary files on a client
  machine, and client viewing files outside of the CVS repository).
  For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405
  (* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.15-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/cvs-1.11.15-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cvs-1.11.15-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.15-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
e8ba67add4c86d0bd8b7dc1ce265752a  cvs-1.11.15-i386-1.tgz

Slackware 9.0 package:
177b19dd98655f6811053f29286e4ab7  cvs-1.11.15-i386-1.tgz

Slackware 9.1 package:
80a99f7f4e2606d6c45ad60614cef81b  cvs-1.11.15-i486-1.tgz

Slackware -current package:
6e6cbad9deab1a53c1543c72d0acad1c  cvs-1.11.15-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

First, shut down the cvs server if you are running one.

Then, upgrade the package:
# upgradepkg cvs-1.11.10-i486-1.tgz

Finally, restart the CVS server.


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAgbJSakRjwEAQIjMRAm2MAJ0dp/2OgYp9Bp9glVCncULikT9+EgCgkarc
C2lF1sQRWvJynY70L5hQP0Y=
=emVX
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.