53408 2004-06-09 07:02 0000 dev-util/cvs More vulnerabilities 2004-06-13 08:47:03 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://security.e-matters.de/advisories/092004.html B1 [stable] P2 major --- 1 jaervosz@gentoo.org security@gentoo.org scandium@gentoo.org wschlich@gentoo.org jaervosz@gentoo.org 2004-06-09 07:02:10 0000 Stefan Esser discovered more bugs in CVS see link for further info. solar@gentoo.org 2004-06-09 07:06:41 0000 Advisory: More CVS remote vulnerabilities Release Date: 2004/06/09 Last Modified: 2004/06/09 Author: Stefan Esser [s.esser@e-matters.de] Application: CVS feature release <= 1.12.8 CVS stable release <= 1.11.16 Severity: Vulnerabilities within CVS allow remote compromise of CVS servers. Risk: Critical Vendor Status: Vendor has released bugfixed versions. Reference: http://security.e-matters.de/advisories/092004.html solar@gentoo.org 2004-06-09 07:14:57 0000 *** Bug 53411 has been marked as a duplicate of this bug. *** solar@gentoo.org 2004-06-09 08:37:48 0000 From: Stefan Esser <s.esser@e-matters.de> To: Ned Ludd <solar@gentoo.org> Subject: Re: [Full-Disclosure] Advisory 09/2004: More CVS remote vulnerabilities Date: Wed, 9 Jun 2004 17:19:11 +0200 > For the sake of clarity could you state exactly which version(s) are > fixed. > > cvshome seems to have no >=1.11.17 for a stable branch. > The problem is that a coordinated release was planned for today 13:00 GMT but obvioulsy Derek Robert Price forgot to put them up. Meanwhile I have heard that within the next 60 minutes the new versions are out. Stefan Esser scandium@gentoo.org 2004-06-09 08:41:34 0000 I will immediatly test and put it into the tree then. scandium@gentoo.org 2004-06-09 10:56:46 0000 cvs-1.11.17 committed. Stable on x86, ~ on all other architectures. Please test and mark stable asap, I'd like to remove <=1.11.16 from the tree then. gmsoft@gentoo.org 2004-06-09 11:28:30 0000 Stable on hppa. ciaran.mccreesh@googlemail.com 2004-06-09 12:19:09 0000 mips, sparc stable koon@gentoo.org 2004-06-09 12:23:16 0000 CAN numbers : CAN-2004-0414 - no-null-termination of "Entry" lines CAN-2004-0416 - error_prog_name "double-free()" CAN-2004-0417 - Argument integer overflow CAN-2004-0418 - serve_notify() out of bounds writes jmaynard@gentoo.org 2004-06-09 12:34:25 0000 Stable on Alpha. kugelfang@gentoo.org 2004-06-09 12:53:52 0000 stable on amd64. lu_zero@gentoo.org 2004-06-09 14:12:21 0000 Marked ppc weeve@gentoo.org 2004-06-09 17:22:56 0000 Note that if you have the doc useflag set, the ebuild will currently fail to download all of the files as the .ps version of the cederqvist doc redirects you to a secure website. Even though wget was built with ssl support, it gives the following error; >>> Downloading http://ccvs.cvshome.org/files/documents/19/196/cederqvist-1.11.17.ps https: Unknown host Granted this isn't a show stopper but I thought people should be aware. I'm not on the CC so if you want to reply to me either add me or do it offline. Cheers scandium@gentoo.org 2004-06-09 17:36:28 0000 wget http://ccvs.cvshome.org/files/documents/19/196/cederqvist-1.11.17.ps The above works for me. I also dislike cvs' new site which changed directory paths so each file has its own number and the redirect to https/443 but I'm afraid currently we can't do much about it. koon@gentoo.org 2004-06-10 02:28:30 0000 The ebuild in CVS is still ~amd64. I suppose the stable keyword was lost somewhere. amd64 please confirm... Once amd64 is confirmed the GLSA is ready to go. kugelfang@gentoo.org 2004-06-10 03:14:43 0000 Confirming... i'm just still wondering why and how i forgot to commit ?!? [I double checked, it's really in now ;-) ] klieber@gentoo.org 2004-06-10 12:55:49 0000 glsa 200406-06 scandium@gentoo.org 2004-06-10 13:07:04 0000 Still not stable on arm, ia64, ppc64 and s390. Will hunt down some individuals now ;-) scandium@gentoo.org 2004-06-10 13:16:46 0000 stable on arm and ia64 scandium@gentoo.org 2004-06-13 08:47:03 0000 cvs-1.11.17 stable on all architectures now