Changes since 1.11.14: ********************** SERVER SECURITY ISSUES * Piped checkouts of paths above $CVSROOT no longer work. Previously, clients could have requested the contents of RCS archive files anywhere on a CVS server. CLIENT SECURITY ISSUES * Clients now check paths from the server to verify that they are within one of the sandboxes the user requested be updated. Previously, a trojan server could have written or overwritten files anywhere the user had access, presenting a serious security risk.
Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;) I was going to report this to our security guys but then I saw this bug already I'd like to mark it stable on all archs later today if there are no objections.
OK -- waiting for stable
after doing the usual testing, it's now stable on all architectures
Excellent ... I'll start drafting a GLSA for this.
GLSA 200404-13. Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.