Explore top 10 tips to secure your open-source projects now. Read More
×
This relase fixes CVE-2017-12836 vulerbaility (command injection via malicious SSH URL).. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2017-97eb475d93 2017-08-29 14:33:06.230164 --------------------------------------------------------------------------------Name : cvs Product : Fedora 25 Version : 1.11.23 Release : 41.fc25 URL : Summary : Concurrent Versions System Description : CVS (Concurrent Versions System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred. CVS is very helpful for managing releases and controlling the concurrent editing of source files among multiple authors. Instead of providing version control for a collection of files in a single directory, CVS provides version control for a hierarchical collection of directories consisting of revision controlled files. These directories and files can then be combined together to form a software release. --------------------------------------------------------------------------------Update Information: This relase fixes CVE-2017-12836 vulerbaility (command injection via malicious SSH URL). --------------------------------------------------------------------------------References: [ 1 ] Bug #1480800 - CVE-2017-12836 cvs: Command injection via malicious ssh URLs https://bugzilla.redhat.com/show_bug.cgi?id=1480800 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade cvs' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. Moredetails on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
cvs could be made run programs as your login if it opened a specially crafted cvs repository.. =========================================================================Ubuntu Security Notice USN-3399-1 August 21, 2017 cvs vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: cvs could be made run programs as your login if it opened a specially crafted cvs repository. Software Description: - cvs: Concurrent Versions System Details: Hank Leininger discovered that cvs did not properly handle SSH for remote repositories. A remote attacker could use this to construct a cvs repository that when accessed could run arbitrary code with the privileges of the user. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: cvs 2:1.12.13+real-22ubuntu0.1 Ubuntu 16.04 LTS: cvs 2:1.12.13+real-15ubuntu0.1 Ubuntu 14.04 LTS: cvs 2:1.12.13+real-12ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3399-1 CVE-2017-12836 Package Information: https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-22ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-15ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-12ubuntu0.1 . This Ubuntu Security Alert USN-4500-1 concerns a specific flaw affecting different Ubuntu versions.. cvs Vulnerability, Remote Code Execution, Ubuntu Security Notice. . Severity: Critical. LinuxSecurity.com Team
It was discovered that there was a command injection vulnerability in the CVS revision control system. For Debian 7 "Wheezy", this issue has been fixed in cvs version . Hash: SHA256 Package : cvs Version : 2:1.12.13+real-9+deb7u1 CVE ID : CVE-2017-12836 Debian Bug : #871810 It was discovered that there was a command injection vulnerability in the CVS revision control system. For Debian 7 "Wheezy", this issue has been fixed in cvs version 2:1.12.13+real-9+deb7u1. We recommend that you upgrade your cvs packages. Thanks to Thorsten Glaser for preparing and testing this upload. Regards, - -- ,'`. : :' : Chris Lamb `. `'`
It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3940-1
A heap-based buffer overflow in CVS might allow remote attackers to execute arbitrary code.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CVS: Heap-based overflow Date: January 19, 2017 Bugs: #402593 ID: 201701-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A heap-based buffer overflow in CVS might allow remote attackers to execute arbitrary code. Background ========= CVS (Concurrent Versions System) is an open-source network-transparent version control system. It contains both a client utility and a server. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-vcs/cvs < 1.12.12-r11 > = 1.12.12-r11 Description ========== A heap-based buffer overflow was discovered in the proxy_connect function in src/client.c in CVS. Impact ===== An attacker, utilizing a remote HTTP proxy server, could cause a Denial of Service condition or possibly execute arbitrary code via a crafted HTTP response. Workaround ========= There is no known workaround at this time. Resolution ========= All CVS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-vcs/cvs-1.12.12-r11" References ========= [ 1 ] CVE-2012-0804 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0804 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-44 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Moderate: cvs security update. Date: Tue, 6 Mar 2012 14:48:30 -0600 Reply-To:
cvs could be made to crash or run programs as your login if it connected to a malicious proxy server.. =========================================================================Ubuntu Security Notice USN-1371-1 February 22, 2012 cvs vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: cvs could be made to crash or run programs as your login if it connected to a malicious proxy server. Software Description: - cvs: Concurrent Versions System Details: It was discovered that cvs incorrectly handled certain responses from proxy servers. If a user were tricked into connecting to a malicious proxy server, a remote attacker could cause cvs to crash, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: cvs 2:1.12.13+real-6ubuntu0.1 Ubuntu 11.04: cvs 1:1.12.13-12ubuntu1.11.04.1 Ubuntu 10.10: cvs 1:1.12.13-12ubuntu1.10.10.1 Ubuntu 10.04 LTS: cvs 1:1.12.13-12ubuntu1.10.04.1 In general, a standard system update will make all the necessary changes. References: CVE-2012-0804 Package Information: https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-6ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.11.04.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.10.10.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.10.04.1 . Ubuntu Security Notice USN-1371-2 describes the libxml2 vulnerability that has the potential to enable remote code execution via specific XML payloads.. ubuntu security notice,cvs update,proxy vulnerability,remote code execution. . Severity: Critical. LinuxSecurity.com Team
Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: cvs security update Advisory ID: RHSA-2012:0321-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2012:0321.html Issue date: 2012-02-21 CVE Names: CVE-2012-0804 ==================================================================== 1. Summary: Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Concurrent Version System (CVS) is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. (CVE-2012-0804) All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct thisissue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 784141 - CVE-2012-0804 cvs: client proxy_connect heap-based buffer overflow 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: cvs-1.11.22-11.el5_8.1.i386.rpm cvs-debuginfo-1.11.22-11.el5_8.1.i386.rpm cvs-inetd-1.11.22-11.el5_8.1.i386.rpm x86_64: cvs-1.11.22-11.el5_8.1.x86_64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.x86_64.rpm cvs-inetd-1.11.22-11.el5_8.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: i386: cvs-1.11.22-11.el5_8.1.i386.rpm cvs-debuginfo-1.11.22-11.el5_8.1.i386.rpm cvs-inetd-1.11.22-11.el5_8.1.i386.rpm ia64: cvs-1.11.22-11.el5_8.1.ia64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.ia64.rpm cvs-inetd-1.11.22-11.el5_8.1.ia64.rpm ppc: cvs-1.11.22-11.el5_8.1.ppc.rpm cvs-debuginfo-1.11.22-11.el5_8.1.ppc.rpm cvs-inetd-1.11.22-11.el5_8.1.ppc.rpm s390x: cvs-1.11.22-11.el5_8.1.s390x.rpm cvs-debuginfo-1.11.22-11.el5_8.1.s390x.rpm cvs-inetd-1.11.22-11.el5_8.1.s390x.rpm x86_64: cvs-1.11.22-11.el5_8.1.x86_64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.x86_64.rpm cvs-inetd-1.11.22-11.el5_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server (v.6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm ppc64: cvs-1.11.23-11.el6_2.1.ppc64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.ppc64.rpm s390x: cvs-1.11.23-11.el6_2.1.s390x.rpm cvs-debuginfo-1.11.23-11.el6_2.1.s390x.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2012-0804 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPRBt+XlSAg2UNWIIRAh1BAJ9OfaVRa4INu5w7lyyeJj4BO/MgdwCeL5Sv DqDez2eNukKE/QVUjCcX3Xc=Crg2 -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Get the latest Linux and open source security news straight to your inbox.