lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3731FDC0-452C-11D8-B50A-000A95DC34AC@aero.und.edu>
Date: Mon, 12 Jan 2004 12:22:01 -0600
From: Caylan Larson <caylan@...o.und.edu>
To: bugzilla@...hat.com
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
   redhat-watch-list@...hat.com
Subject: Re: [RHSA-2004:003-01] Updated CVS packages fix minor security issue


Minor... let's not worry about it.  No one uses cvs anyways.


Caylan Van Larson
Linux Administrator
   UND Aerospace


On Jan 12, 2004, at 9:44 AM, bugzilla@...hat.com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ---------------------------------------------------------------------
>                    Red Hat Security Advisory
>
> Synopsis:          Updated CVS packages fix minor security issue
> Advisory ID:       RHSA-2004:003-01
> Issue date:        2004-01-05
> Updated on:        2004-01-09
> Product:           Red Hat Linux
> Keywords:
> Cross references:
> Obsoletes:
> CVE Names:         CAN-2003-0977
> - ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated cvs packages closing a vulnerability that could allow cvs to
> attempt to create files and directories in the root file system are now
> available.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 9 - i386
>
> 3. Problem description:
>
> CVS is a version control system frequently used to manage source code
> repositories.
>
> A flaw was found in versions of CVS prior to 1.11.10 where a malformed
> module request could cause the CVS server to attempt to create files or
> directories at the root level of the file system.  However, normal file
> system permissions would prevent the creation of these misplaced
> directories.  The Common Vulnerabilities and Exposures project
> (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.
>
> Users of CVS are advised to upgrade to these erratum packages, which
> contain a patch correcting this issue.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade.  Only  
> those
> RPMs which are currently installed will be updated.  Those RPMs which  
> are
> not installed but included in the list will not be updated.  Note that  
> you
> can also use wildcards (*.rpm) if your current directory *only*  
> contains the
> desired RPMs.
>
> Please note that this update is also available via Red Hat Network.   
> Many
> people find this an easier way to apply updates.  To use Red Hat  
> Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the  
> appropriate
> RPMs being upgraded on your system.
>
> 5. RPMs required:
>
> Red Hat Linux 9:
>
> SRPMS:
> ftp://updates.redhat.com/9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
>
> i386:
> ftp://updates.redhat.com/9/en/os/i386/cvs-1.11.2-13.i386.rpm
>
>
>
> 6. Verification:
>
> MD5 sum                          Package Name
> -  
> ----------------------------------------------------------------------- 
> ---
> d6a3c1f6e8403e5d069ab124b3b8ab86 9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
> e6919ce0f562781a3926107d932becee 9/en/os/i386/cvs-1.11.2-13.i386.rpm
>
>
> These packages are GPG signed by Red Hat for security.  Our key is
> available from https://www.redhat.com/security/keys.html
>
> You can verify each package with the following command:
>
>     rpm --checksig -v <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
>
>     md5sum <filename>
>
>
> 7. References:
>
> http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
> http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
>
> 8. Contact:
>
> The Red Hat security contact is <secalert@...hat.com>.  More contact
> details at https://www.redhat.com/solutions/security/news/contact.html
>
> Copyright 2003 Red Hat, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQFAAsDuXlSAg2UNWIIRAjaHAJ4w+12/x0qnX3Co3ADAQqYoX71FjQCgue5S
> 9AQ3nhetRLJgJMyB5NZRJuY=
> =eOLt
> -----END PGP SIGNATURE-----
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ