51460 2004-05-19 08:50 0000 dev-util/cvs<=1.11.15 remote heap overflow 2004-06-09 10:26:42 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All All RESOLVED FIXED http://security.e-matters.de/advisories/072004.html P2 critical --- 1 n2n@front.ru security@gentoo.org scandium@gentoo.org n2n@front.ru 2004-05-19 08:50:38 0000 Application: CVS feature release <= 1.12.7 CVS stable release <= 1.11.15 Severity: A vulnerability within CVS allows remote compromise of CVS servers. Risk: Critical Reference: http://security.e-matters.de/advisories/072004.html CVE Information: CAN-2004-0396 Workaround: Upstream vendor has supposedly released a patched version. koon@gentoo.org 2004-05-19 08:56:16 0000 Fix in 1.11.16 scandium : could you please bump to that version ? Thanks scandium@gentoo.org 2004-05-19 09:35:20 0000 cvs-1.11.16 is in the tree now, but still ~ on all archs besides x86. scandium@gentoo.org 2004-05-19 09:40:28 0000 Architecture people, please mark cvs-1.11.16 stable as soon as possible, thank you. gmsoft@gentoo.org 2004-05-19 10:33:08 0000 Marked stable on hppa. ciaran.mccreesh@googlemail.com 2004-05-19 12:57:21 0000 sparc, mips done kloeri@gentoo.org 2004-05-19 13:04:43 0000 Stable on alpha. avenj@gentoo.org 2004-05-19 13:22:58 0000 Stable on amd64 pylon@gentoo.org 2004-05-19 14:21:12 0000 Stable on ppc. Our very own cvs-server got already updated, too. koon@gentoo.org 2004-05-19 14:23:21 0000 Ready for a GLSA koon@gentoo.org 2004-05-20 10:01:03 0000 GLSA drafted koon@gentoo.org 2004-05-20 11:41:03 0000 GLSA 200405-12 randy@gentoo.org 2004-05-20 18:03:51 0000 Stable on s390 scandium@gentoo.org 2004-05-21 05:00:24 0000 missed ppc64 :) scandium@gentoo.org 2004-06-02 14:17:07 0000 It is still not stable on ia64, ppc64 and arm. Would be nice if those people could look at it and mark >=1.11.16 stable tgall@gentoo.org 2004-06-02 18:46:41 0000 stable on ppc64 scandium@gentoo.org 2004-06-07 16:02:26 0000 ppc64 stabled by tgall arm stabled by vapier ia64 still missing :( scandium@gentoo.org 2004-06-09 08:15:33 0000 stable on ia64 by agriffis solar@gentoo.org 2004-06-09 10:22:50 0000 We might want to hold off on the GLSA on this one. More vulns were found in cvs see bug #53408 scandium@gentoo.org 2004-06-09 10:26:42 0000 solar, the GLSA for this has already been sent out on May 20th. (glsa-200405-12)