diff options
Diffstat (limited to 'metadata/glsa/glsa-200312-04.xml')
-rw-r--r-- | metadata/glsa/glsa-200312-04.xml | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200312-04.xml b/metadata/glsa/glsa-200312-04.xml new file mode 100644 index 000000000000..1f938427a057 --- /dev/null +++ b/metadata/glsa/glsa-200312-04.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="200312-04"> + <title>CVS: malformed module request vulnerability</title> + <synopsis> + A bug in cvs could allow attempts to create files and directories outside a + repository. + </synopsis> + <product type="ebuild">CVS</product> + <announced>2003-12-08</announced> + <revised count="01">2003-12-08</revised> + <bug>35371</bug> + <access>unknown</access> + <affected> + <package name="dev-util/cvs" auto="yes" arch="*"> + <unaffected range="ge">1.11.10</unaffected> + <vulnerable range="le">1.11.9</vulnerable> + </package> + </affected> + <background> + <p> + CVS, which stands for Concurrent Versions System, is a client/server + application which tracks changes to sets of files. It allows multiple users + to work concurrently on files, and then merge their changes back into the + main tree (which can be on a remote system). It also allows branching, or + maintaining separate versions for files. + </p> + </background> + <description> + <p> + Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=84: + "Stable CVS 1.11.10 has been released. Stable releases contain only bug + fixes from previous versions of CVS. This release fixes a security issue + with no known exploits that could cause previous versions of CVS to attempt + to create files and directories in the filesystem root. This release also + fixes several issues relevant to case insensitive filesystems and some other + bugs. We recommend this upgrade for all CVS clients and servers!" + </p> + </description> + <impact type="minimal"> + <p> + Attempts to create files and directories outside the repository may be + possible. + </p> + </impact> + <workaround> + <p> + There is no known workaround at this time. + </p> + </workaround> + <resolution> + <p> + All Gentoo Linux machines with cvs installed should be updated to use + dev-util/cvs-1.11.10 or higher: + </p> + <code> + # emerge sync + # emerge -pv '>=dev-util/cvs-1.11.10' + # emerge '>=dev-util/cvs-1.11.10' + # emerge clean</code> + </resolution> + <references> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977">CAN-2003-0977</uri> + </references> +</glsa> |