Changes since 1.11.14:
SERVER SECURITY ISSUES
* Piped checkouts of paths above $CVSROOT no longer work. Previously, clients
could have requested the contents of RCS archive files anywhere on a CVS
CLIENT SECURITY ISSUES
* Clients now check paths from the server to verify that they are within one of
the sandboxes the user requested be updated. Previously, a trojan server
could have written or overwritten files anywhere the user had access,
presenting a serious security risk.
Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;)
I was going to report this to our security guys but then I saw this bug already
I'd like to mark it stable on all archs later today if there are no objections.
OK -- waiting for stable
after doing the usual testing, it's now stable on all architectures
Excellent ... I'll start drafting a GLSA for this.
Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.