Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47800 - dev-util/cvs : 1.11.15 update contains security fixes
Summary: dev-util/cvs : 1.11.15 update contains security fixes
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2004-04-14 08:35 UTC by gen2daniel
Modified: 2004-04-14 15:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
condordes: Assigned_To? (condordes)


Note You need to log in before you can comment on or make changes to this bug.
Description gen2daniel 2004-04-14 08:35:46 UTC
Changes since 1.11.14:


* Piped checkouts of paths above $CVSROOT no longer work.  Previously, clients
  could have requested the contents of RCS archive files anywhere on a CVS


* Clients now check paths from the server to verify that they are within one of
  the sandboxes the user requested be updated.  Previously, a trojan server
  could have written or overwritten files anywhere the user had access,
  presenting a serious security risk.
Comment 1 Rainer Größlinger (RETIRED) gentoo-dev 2004-04-14 08:47:21 UTC
Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;)
I was going to report this to our security guys but then I saw this bug already

I'd like to mark it stable on all archs later today if there are no objections.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-14 08:52:57 UTC
OK -- waiting for stable
Comment 3 Rainer Größlinger (RETIRED) gentoo-dev 2004-04-14 11:48:40 UTC
after doing the usual testing, it's now stable on all architectures
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-14 12:00:35 UTC
Excellent ... I'll start drafting a GLSA for this.
Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-14 15:19:29 UTC
GLSA 200404-13.

Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.