Closed
Bug 189927
Opened 22 years ago
Closed 22 years ago
Security Hole in the CVS Server. Please update to CVS 1.11.5
Categories
(mozilla.org Graveyard :: Server Operations, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Matti, Assigned: endico)
References
()
Details
There is a security hole in the cvs server.
Mozilla.org should update their CVS server to fix that problem.
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51
http://security.e-matters.de/advisories/012003.html
|
||
Comment 1•22 years ago
|
||
Should already be done.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Comment 2•22 years ago
|
||
cvs-mirror:
Server: Concurrent Versions System (CVS) 1.11.4 (client/server)
cvs:
Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server)
gila:
Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server)
1.11.4 is indeed not vulnerable, per the release notes for CVS. From what I can
tell, it looks like they released 1.11.4 with the fix prior to the advisory
going out. 1.11.5 only changed the release notes to mention the fix that was in
1.11.4.
cvs and gila haven't been updated yet. (does it even matter on those, since
neither allows anonymous access, and anyone who gets access at all has write
access?)
|
|
||
Comment 3•22 years ago
|
||
*** Bug 189984 has been marked as a duplicate of this bug. ***
|
|
||
Comment 4•22 years ago
|
||
How could 1.11.4 have contained the fix if it was released on 12/28 and the
vendor wasn't notified until 1/4 ?
The only changes that were applied between 1.11.3 & 1.11.4 were the changes
myself and others submitted to get cvs building on win32 again.
The only reference I see to the security hole is in the 1.11.5 release under
changes *since* 1.11.4.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 5•22 years ago
|
||
That was my fault, I misread it. I read that as "changes in 1.11.4" instead of
"changes since".
However, I've been informed that the patches were applied manually rather than
upgrading, so the 1.11.4 we're running does contain the security patches.
I'll let Chris confirm...
|
||
Comment 6•22 years ago
|
||
I found out about the vulnerability last week and discussed it with Steve Brown
of AOL IC, who quickly upgraded cvs-mirror to CVS version 1.11.4 *with the patch
applied*. Thus, cvs-mirror is no longer vulnerable to this bug, even though it
reports its version as 1.11.4. Our other two CVS servers, cvs and gila, are
also not vulnerable, since they do not allow anonymous read-only access.
Status: REOPENED → RESOLVED
Closed: 22 years ago → 22 years ago
Resolution: --- → FIXED
|
||
Comment 7•22 years ago
|
||
gila should probably be upgraded since there are some who would like read-only
access to the Web documents available by CVS. While this currently is not
allowed, there is no telling whether that will change in the future.
|
||
Updated•10 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•