[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3731FDC0-452C-11D8-B50A-000A95DC34AC@aero.und.edu>
Date: Mon, 12 Jan 2004 12:22:01 -0600
From: Caylan Larson <caylan@...o.und.edu>
To: bugzilla@...hat.com
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
redhat-watch-list@...hat.com
Subject: Re: [RHSA-2004:003-01] Updated CVS packages fix minor security issue
Minor... let's not worry about it. No one uses cvs anyways.
Caylan Van Larson
Linux Administrator
UND Aerospace
On Jan 12, 2004, at 9:44 AM, bugzilla@...hat.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ---------------------------------------------------------------------
> Red Hat Security Advisory
>
> Synopsis: Updated CVS packages fix minor security issue
> Advisory ID: RHSA-2004:003-01
> Issue date: 2004-01-05
> Updated on: 2004-01-09
> Product: Red Hat Linux
> Keywords:
> Cross references:
> Obsoletes:
> CVE Names: CAN-2003-0977
> - ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated cvs packages closing a vulnerability that could allow cvs to
> attempt to create files and directories in the root file system are now
> available.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 9 - i386
>
> 3. Problem description:
>
> CVS is a version control system frequently used to manage source code
> repositories.
>
> A flaw was found in versions of CVS prior to 1.11.10 where a malformed
> module request could cause the CVS server to attempt to create files or
> directories at the root level of the file system. However, normal file
> system permissions would prevent the creation of these misplaced
> directories. The Common Vulnerabilities and Exposures project
> (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.
>
> Users of CVS are advised to upgrade to these erratum packages, which
> contain a patch correcting this issue.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade. Only
> those
> RPMs which are currently installed will be updated. Those RPMs which
> are
> not installed but included in the list will not be updated. Note that
> you
> can also use wildcards (*.rpm) if your current directory *only*
> contains the
> desired RPMs.
>
> Please note that this update is also available via Red Hat Network.
> Many
> people find this an easier way to apply updates. To use Red Hat
> Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the
> appropriate
> RPMs being upgraded on your system.
>
> 5. RPMs required:
>
> Red Hat Linux 9:
>
> SRPMS:
> ftp://updates.redhat.com/9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
>
> i386:
> ftp://updates.redhat.com/9/en/os/i386/cvs-1.11.2-13.i386.rpm
>
>
>
> 6. Verification:
>
> MD5 sum Package Name
> -
> -----------------------------------------------------------------------
> ---
> d6a3c1f6e8403e5d069ab124b3b8ab86 9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
> e6919ce0f562781a3926107d932becee 9/en/os/i386/cvs-1.11.2-13.i386.rpm
>
>
> These packages are GPG signed by Red Hat for security. Our key is
> available from https://www.redhat.com/security/keys.html
>
> You can verify each package with the following command:
>
> rpm --checksig -v <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
>
> md5sum <filename>
>
>
> 7. References:
>
> http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
> http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
>
> 8. Contact:
>
> The Red Hat security contact is <secalert@...hat.com>. More contact
> details at https://www.redhat.com/solutions/security/news/contact.html
>
> Copyright 2003 Red Hat, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQFAAsDuXlSAg2UNWIIRAjaHAJ4w+12/x0qnX3Co3ADAQqYoX71FjQCgue5S
> 9AQ3nhetRLJgJMyB5NZRJuY=
> =eOLt
> -----END PGP SIGNATURE-----
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists