|Summary:||dev-util/cvs : 1.11.15 update contains security fixes|
|Product:||Gentoo Security||Reporter:||gen2daniel <gen2daniel>|
|Component:||GLSA Errors||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description gen2daniel 2004-04-14 08:35:46 UTC
Changes since 1.11.14: ********************** SERVER SECURITY ISSUES * Piped checkouts of paths above $CVSROOT no longer work. Previously, clients could have requested the contents of RCS archive files anywhere on a CVS server. CLIENT SECURITY ISSUES * Clients now check paths from the server to verify that they are within one of the sandboxes the user requested be updated. Previously, a trojan server could have written or overwritten files anywhere the user had access, presenting a serious security risk.
Comment 1 Rainer Größlinger (RETIRED) 2004-04-14 08:47:21 UTC
Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;) I was going to report this to our security guys but then I saw this bug already I'd like to mark it stable on all archs later today if there are no objections.
Comment 2 Thierry Carrez (RETIRED) 2004-04-14 08:52:57 UTC
OK -- waiting for stable
Comment 3 Rainer Größlinger (RETIRED) 2004-04-14 11:48:40 UTC
after doing the usual testing, it's now stable on all architectures
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) 2004-04-14 12:00:35 UTC
Excellent ... I'll start drafting a GLSA for this.
Comment 5 Joshua J. Berry (CondorDes) (RETIRED) 2004-04-14 15:19:29 UTC
GLSA 200404-13. Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.