On Mon, Jan 12, 2004 at 08:45:47AM -0800, Jesse Keating wrote: > So, I just saw this morning that RH issued an update for CVS, and in the > information there was this line: > > A flaw was found in versions of CVS prior to 1.11.10 where a malformed > module request could cause the CVS server to attempt to create files or > directories at the root level of the file system. However, normal file > system permissions would prevent the creation of these misplaced > directories. The Common Vulnerabilities and Exposures project > (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue. > > Since RHL 8/7.x presumably have a CVS version that is prior to 1.11.10, > we need to investigate and possibly backport the fix. Any volunteers ? > Seth posted a src.rpm to the list a week or so ago for cvs to fix a more serious root exploit vuln. I was in the process of verifying it to submit to the bugzilla, so I can check this out as well and patch it in. -j
Attachment:
pgp00166.pgp
Description: PGP signature
