During a security audit of Chora a vulnerability within the diff viewing functionality was discovered. This hole allows arbitrary shellcode injection. Combined with PHP's file upload functionality this gives the opportunity to upload arbitrary binaries and to execute them. (In default configurations) Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection. http://security.e-matters.de/advisories/102004.html
Mike -- can you please review/patch as needed?
1.2.1 removed from cvs and 1.2.2 added (stable on all arches)
GLSA ready
GLSA 200406-09