Linux Security
    Linux Security
    Linux Security

    Debian: cvsweb vulnerability

    Date
    3630
    Posted By
    cvsweb is vulnerable to a remote shell exploit.
    -----BEGIN PGP SIGNED MESSAGE-----
    
    - ------------------------------------------------------------------------
    Debian Security Advisory                             This email address is being protected from spambots. You need JavaScript enabled to view it. 
    https://www.debian.org/security/                         Wichert Akkerman
    July 16, 2000
    - ------------------------------------------------------------------------
    
    
    Package: cvsweb
    Vulnerability type: remote shell
    Debian-specific: no
    
    The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as
    well as in the frozen (potato) and unstable (woody) distributions, are
    vulnerable to a remote shell exploit. An attacker with write access to the
    cvs repository can execute arbitrary code on the server, as the www-data
    user.
    
    The vulnerability is fixed in version 109 of cvsweb for the current stable
    release (Debian 2.1), in version 1.79-3potato1 for the frozen distribution,
    and in version 1.86-1 for the unstable distribution.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    Debian GNU/Linux 2.1 alias slink
    - ------------------------------------
    
      Source archives:
         https://security.debian.org/dists/stable/updates/source/cvsweb_109.dsc
          MD5 checksum: b1810728310882fb72078674521ee369
         https://security.debian.org/dists/stable/updates/source/cvsweb_109.tar.gz
          MD5 checksum: 4c42ec3ba7248fc2499cdfaa6ae6b702
    
      Architecture indendent archives:
         https://security.debian.org/dists/stable/updates/binary-all/cvsweb_109_all.deb
          MD5 checksum: fe9144254ab224923ac627aef7ec2167
    
    Debian GNU/Linux 2.2 alias potato
    - -------------------------------------
    
      Please note that potato has not been released yet.
    
      Source archives:
         https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.diff.gz
          MD5 checksum: 9dcb469f5da602cd53e41258febba244
         https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc
          MD5 checksum: b4aceba93a6721486f8ca42f230c7271
         https://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79.orig.tar.gz
          MD5 checksum: c755a4c75d4c8844274458ae5953823b
    
      Binary package for all architectures:
         https://http.us.debian.org/debian/dists/potato/main/binary-all/devel/cvsweb_1.79-3potato1.deb
          MD5 checksum: 1b89d61312925ee7934108c4f638d912
    
    Debian GNU/Linux unstable alias woody
    - -------------------------------------
    
      Please note that woody has not been released yet.
    
      Source archives:
         https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.diff.gz
          MD5 checksum: e3fc2117d689746eaa2cf4c8a701aa4e 
         https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.dsc
          MD5 checksum: 0b2b9bf0b1fe39552da03698ba37bc36
         https://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86.orig.tar.gz
          MD5 checksum: ea93ed274ec6fbd49cec57c759747cb7
    
      Binary package for all architectures:
         https://http.us.debian.org/debian/dists/woody/main/binary-all/devel/cvsweb_1.86-1.deb
          MD5 checksum: a99c605e0d77f1c56a82c95a3dc6d83f
    
    
    
    - -- 
    - ----------------------------------------------------------------------------
    For apt-get: deb  https://security.debian.org/ stable updates
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates
    Mailing list: debian-security-This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv
    
    iQB1AwUBOXFYwajZR/ntlUftAQH1KwL/WH/WLKH+OXFE/Ut+QDy5/NEEtjsAGn8K
    ptgWr+AFj9H4Ih/UoX//VfWKNpVNCZFfucFPd+ohFLiy+1yfrrCQMQXjgA7CYw2L
    w1Im7OXJBrK/y6NiiRNijCDOyC1nDofd
    =U5iJ
    -----END PGP SIGNATURE-----
    

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"2","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.