| Summary: | dev-vcs/cvs: heap-based buffer overflow (CVE-2010-3846) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | cvs-utils+obsolete |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
GLSAMaker/CVETool Bot
2011-10-08 13:54:24 UTC
cvs-1.11 is kept in the tree for users in environments where the server has not been upgraded to cvs-1.12. I can p.mask it if that's acceptable? Sure. 1.11 is masked. Could this go to the glsa request? Ago not ignoring you, we (Security) are evaluating Legacy GLSA requests. This was actually patched long before this bug was ever opened. Please change your security flags on it. I only noticed now when I was about to treeclean this version that it was never vulnerable in the first place. *cvs-1.11.23 (10 Feb 2011) 10 Feb 2011; Fabian Groffen <grobian@gentoo.org> +cvs-1.11.23.ebuild, +files/cvs-1.11.23-CVE-2010-3846.patch, +files/cvs-1.11.23-getline64.patch: Add latest officially released version of CVS. The 1.11 branch is the only that actually behaves on most Prefix platforms, all other versions are masked. For this reason, only Prefix keywords have been added, as it is mainly intended for them. Bug #313799 Okay then. Closing. |
