Alerts This Week
Warning Icon 1 485
Alerts This Week
Warning Icon 1 485

Critical Vulnerability in Cvs Code Execution for Ubuntu 17.04, 16.04 LTS

ubuntu
Calendar Grey August 21, 2017
Dist Ubuntu Esm H88
This Ubuntu Security Alert USN-4500-1 concerns a specific flaw affecting different Ubuntu versions.
cvs could be made run programs as your login if it opened a specially crafted cvs repository.

Summary

cvs could be made run programs as your login if it opened a

specially crafted cvs repository.

Software Description:

- cvs: Concurrent Versions System

Details:

Hank Leininger discovered that cvs did not properly handle SSH

for remote repositories. A remote attacker could use this to

construct a cvs repository that when accessed could run arbitrary

code with the privileges of the user.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  cvs                             2:1.12.13+real-22ubuntu0.1

Ubuntu 16.04 LTS:
  cvs                             2:1.12.13+real-15ubuntu0.1

Ubuntu 14.04 LTS:
  cvs                             2:1.12.13+real-12ubuntu0.1

In general, a standard system update will make all the necessary
changes.

References

  https://ubuntu.com/security/notices/USN-3399-1

  CVE-2017-12836

Severity
critical
Lowest
Low
Medium
High
Critical

August 21, 2017

Package Information

  https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-22ubuntu0.1
  https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-15ubuntu0.1
  https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-12ubuntu0.1

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here