There is a security hole in the cvs server. Mozilla.org should update their CVS server to fix that problem. http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51 http://security.e-matters.de/advisories/012003.html
Should already be done.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
cvs-mirror: Server: Concurrent Versions System (CVS) 1.11.4 (client/server) cvs: Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server) gila: Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server) 1.11.4 is indeed not vulnerable, per the release notes for CVS. From what I can tell, it looks like they released 1.11.4 with the fix prior to the advisory going out. 1.11.5 only changed the release notes to mention the fix that was in 1.11.4. cvs and gila haven't been updated yet. (does it even matter on those, since neither allows anonymous access, and anyone who gets access at all has write access?)
*** Bug 189984 has been marked as a duplicate of this bug. ***
How could 1.11.4 have contained the fix if it was released on 12/28 and the vendor wasn't notified until 1/4 ? The only changes that were applied between 1.11.3 & 1.11.4 were the changes myself and others submitted to get cvs building on win32 again. The only reference I see to the security hole is in the 1.11.5 release under changes *since* 1.11.4.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
That was my fault, I misread it. I read that as "changes in 1.11.4" instead of "changes since". However, I've been informed that the patches were applied manually rather than upgrading, so the 1.11.4 we're running does contain the security patches. I'll let Chris confirm...
I found out about the vulnerability last week and discussed it with Steve Brown of AOL IC, who quickly upgraded cvs-mirror to CVS version 1.11.4 *with the patch applied*. Thus, cvs-mirror is no longer vulnerable to this bug, even though it reports its version as 1.11.4. Our other two CVS servers, cvs and gila, are also not vulnerable, since they do not allow anonymous read-only access.
Status: REOPENED → RESOLVED
Last Resolved: 15 years ago → 15 years ago
Resolution: --- → FIXED
gila should probably be upgraded since there are some who would like read-only access to the Web documents available by CVS. While this currently is not allowed, there is no telling whether that will change in the future.
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.