Security Hole in the CVS Server. Please update to CVS 1.11.5

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations
RESOLVED FIXED
15 years ago
3 years ago

People

(Reporter: Matti, Assigned: Dawn Endico)

Tracking

Details

(URL)

(Reporter)

Description

15 years ago
There is a security hole in the cvs server.
Mozilla.org should update their CVS server to fix that problem.

http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51
http://security.e-matters.de/advisories/012003.html
Should already be done.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
cvs-mirror:
Server: Concurrent Versions System (CVS) 1.11.4 (client/server)

cvs:
Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server)

gila:
Server: Concurrent Versions System (CVS) 1.11.1p1 (client/server)

1.11.4 is indeed not vulnerable, per the release notes for CVS.  From what I can
tell, it looks like they released 1.11.4 with the fix prior to the advisory
going out.  1.11.5 only changed the release notes to mention the fix that was in
1.11.4.

cvs and gila haven't been updated yet.  (does it even matter on those, since
neither allows anonymous access, and anyone who gets access at all has write
access?)
*** Bug 189984 has been marked as a duplicate of this bug. ***
How could 1.11.4 have contained the fix if it was released on 12/28 and the
vendor wasn't notified until 1/4 ?

The only changes that were applied between 1.11.3 & 1.11.4 were the changes
myself and others submitted to get cvs building on win32 again.

The only reference I see to the security hole is in the 1.11.5 release under
changes *since* 1.11.4.  

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
That was my fault, I misread it.  I read that as "changes in 1.11.4" instead of
"changes since".

However, I've been informed that the patches were applied manually rather than
upgrading, so the 1.11.4 we're running does contain the security patches.

I'll let Chris confirm...
I found out about the vulnerability last week and discussed it with Steve Brown
of AOL IC, who quickly upgraded cvs-mirror to CVS version 1.11.4 *with the patch
applied*.  Thus, cvs-mirror is no longer vulnerable to this bug, even though it
reports its version as 1.11.4.  Our other two CVS servers, cvs and gila, are
also not vulnerable, since they do not allow anonymous read-only access.
Status: REOPENED → RESOLVED
Last Resolved: 15 years ago15 years ago
Resolution: --- → FIXED

Comment 7

15 years ago
gila should probably be upgraded since there are some who would like read-only
access to the Web documents available by CVS.  While this currently is not
allowed, there is no telling whether that will change in the future.
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.