Bug 47800

Summary:	dev-util/cvs : 1.11.15 update contains security fixes
Product:	Gentoo Security	Reporter:	gen2daniel <gen2daniel>
Component:	GLSA Errors	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	condordes, scandium
Priority:	High	Flags:	condordes: Assigned_To? (condordes)
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.92&content-type=text/x-cvsweb-markup
Whiteboard:
Package list:		Runtime testing required:	---

Description gen2daniel 2004-04-14 08:35:46 UTC

Changes since 1.11.14:
**********************

SERVER SECURITY ISSUES

* Piped checkouts of paths above $CVSROOT no longer work.  Previously, clients
  could have requested the contents of RCS archive files anywhere on a CVS
  server.

CLIENT SECURITY ISSUES

* Clients now check paths from the server to verify that they are within one of
  the sandboxes the user requested be updated.  Previously, a trojan server
  could have written or overwritten files anywhere the user had access,
  presenting a serious security risk.

Comment 1 Rainer Größlinger (RETIRED) gentoo-dev

2004-04-14 08:47:21 UTC

Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;)
I was going to report this to our security guys but then I saw this bug already

I'd like to mark it stable on all archs later today if there are no objections.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2004-04-14 08:52:57 UTC

OK -- waiting for stable

Comment 3 Rainer Größlinger (RETIRED) gentoo-dev

2004-04-14 11:48:40 UTC

after doing the usual testing, it's now stable on all architectures

Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-04-14 12:00:35 UTC

Excellent ... I'll start drafting a GLSA for this.

Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-04-14 15:19:29 UTC

GLSA 200404-13.

Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.