Linux Security
Linux Security
Linux Security

Debian: cvsweb vulnerability

Date 16 Jul 2000
3703
Posted By LinuxSecurity Advisories
cvsweb is vulnerable to a remote shell exploit.
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory                             This email address is being protected from spambots. You need JavaScript enabled to view it. 
https://www.debian.org/security/                         Wichert Akkerman
July 16, 2000
- ------------------------------------------------------------------------


Package: cvsweb
Vulnerability type: remote shell
Debian-specific: no

The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as
well as in the frozen (potato) and unstable (woody) distributions, are
vulnerable to a remote shell exploit. An attacker with write access to the
cvs repository can execute arbitrary code on the server, as the www-data
user.

The vulnerability is fixed in version 109 of cvsweb for the current stable
release (Debian 2.1), in version 1.79-3potato1 for the frozen distribution,
and in version 1.86-1 for the unstable distribution.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.1 alias slink
- ------------------------------------

  Source archives:
     https://security.debian.org/dists/stable/updates/source/cvsweb_109.dsc
      MD5 checksum: b1810728310882fb72078674521ee369
     https://security.debian.org/dists/stable/updates/source/cvsweb_109.tar.gz
      MD5 checksum: 4c42ec3ba7248fc2499cdfaa6ae6b702

  Architecture indendent archives:
     https://security.debian.org/dists/stable/updates/binary-all/cvsweb_109_all.deb
      MD5 checksum: fe9144254ab224923ac627aef7ec2167

Debian GNU/Linux 2.2 alias potato
- -------------------------------------

  Please note that potato has not been released yet.

  Source archives:
     https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.diff.gz
      MD5 checksum: 9dcb469f5da602cd53e41258febba244
     https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc
      MD5 checksum: b4aceba93a6721486f8ca42f230c7271
     https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79.orig.tar.gz
      MD5 checksum: c755a4c75d4c8844274458ae5953823b

  Binary package for all architectures:
     https://http.us.debian.org/debian/dists/potato/main/binary-all/devel/cvsweb_1.79-3potato1.deb
      MD5 checksum: 1b89d61312925ee7934108c4f638d912

Debian GNU/Linux unstable alias woody
- -------------------------------------

  Please note that woody has not been released yet.

  Source archives:
     https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.diff.gz
      MD5 checksum: e3fc2117d689746eaa2cf4c8a701aa4e 
     https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.dsc
      MD5 checksum: 0b2b9bf0b1fe39552da03698ba37bc36
     https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86.orig.tar.gz
      MD5 checksum: ea93ed274ec6fbd49cec57c759747cb7

  Binary package for all architectures:
     https://http.us.debian.org/debian/dists/woody/main/binary-all/devel/cvsweb_1.86-1.deb
      MD5 checksum: a99c605e0d77f1c56a82c95a3dc6d83f



- -- 
- ----------------------------------------------------------------------------
For apt-get: deb  https://security.debian.org/ stable updates
For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates
Mailing list: debian-security-This email address is being protected from spambots. You need JavaScript enabled to view it.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBOXFYwajZR/ntlUftAQH1KwL/WH/WLKH+OXFE/Ut+QDy5/NEEtjsAGn8K
ptgWr+AFj9H4Ih/UoX//VfWKNpVNCZFfucFPd+ohFLiy+1yfrrCQMQXjgA7CYw2L
w1Im7OXJBrK/y6NiiRNijCDOyC1nDofd
=U5iJ
-----END PGP SIGNATURE-----

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
/main-polls/52-how-frequently-do-you-patch-update-your-system?task=poll.vote&format=json
52
radio
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"47","type":"x","order":"1","pct":79.66,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"7","type":"x","order":"2","pct":11.86,"resources":[]},{"id":"181","title":"Hardly ever","votes":"5","type":"x","order":"3","pct":8.47,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.

VOTE ON THE POLL PAGE


VIEW MORE POLLS

bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.