Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 25 articles for you...
89

Fedora 25: 2017-97eb475d93 Moderate: CVS Command Injection

This relase fixes CVE-2017-12836 vulerbaility (command injection via malicious SSH URL).. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2017-97eb475d93 2017-08-29 14:33:06.230164 --------------------------------------------------------------------------------Name : cvs Product : Fedora 25 Version : 1.11.23 Release : 41.fc25 URL : Summary : Concurrent Versions System Description : CVS (Concurrent Versions System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred. CVS is very helpful for managing releases and controlling the concurrent editing of source files among multiple authors. Instead of providing version control for a collection of files in a single directory, CVS provides version control for a hierarchical collection of directories consisting of revision controlled files. These directories and files can then be combined together to form a software release. --------------------------------------------------------------------------------Update Information: This relase fixes CVE-2017-12836 vulerbaility (command injection via malicious SSH URL). --------------------------------------------------------------------------------References: [ 1 ] Bug #1480800 - CVE-2017-12836 cvs: Command injection via malicious ssh URLs https://bugzilla.redhat.com/show_bug.cgi?id=1480800 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade cvs' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. Moredetails on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Patch for CVE-2017-12836 vulnerability in CVS impacting Fedora 25, mitigating command injection threat through SSH URLs.. Fedora 25 Security,CVS Update,Command Injection Fix. . LinuxSecurity.com Team

Calendar%202 Aug 29, 2017 Fedora
172

Critical Vulnerability in Cvs Code Execution for Ubuntu 17.04, 16.04 LTS

cvs could be made run programs as your login if it opened a specially crafted cvs repository.. =========================================================================Ubuntu Security Notice USN-3399-1 August 21, 2017 cvs vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: cvs could be made run programs as your login if it opened a specially crafted cvs repository. Software Description: - cvs: Concurrent Versions System Details: Hank Leininger discovered that cvs did not properly handle SSH for remote repositories. A remote attacker could use this to construct a cvs repository that when accessed could run arbitrary code with the privileges of the user. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: cvs 2:1.12.13+real-22ubuntu0.1 Ubuntu 16.04 LTS: cvs 2:1.12.13+real-15ubuntu0.1 Ubuntu 14.04 LTS: cvs 2:1.12.13+real-12ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3399-1 CVE-2017-12836 Package Information: https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-22ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-15ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-12ubuntu0.1 . This Ubuntu Security Alert USN-4500-1 concerns a specific flaw affecting different Ubuntu versions.. cvs Vulnerability, Remote Code Execution, Ubuntu Security Notice. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Aug 21, 2017 Critical Ubuntu
197

Debian 7 Wheezy DLA-1056-1 Critical: Command Injection in CVS Resolved

It was discovered that there was a command injection vulnerability in the CVS revision control system. For Debian 7 "Wheezy", this issue has been fixed in cvs version . Hash: SHA256 Package : cvs Version : 2:1.12.13+real-9+deb7u1 CVE ID : CVE-2017-12836 Debian Bug : #871810 It was discovered that there was a command injection vulnerability in the CVS revision control system. For Debian 7 "Wheezy", this issue has been fixed in cvs version 2:1.12.13+real-9+deb7u1. We recommend that you upgrade your cvs packages. Thanks to Thorsten Glaser for preparing and testing this upload. Regards, - -- ,'`. : :' : Chris Lamb `. `'` This email address is being protected from spambots. You need JavaScript enabled to view it. / chris-lamb.co.uk `- . Enhance your Debian system by updating cvs packages to mitigate command injection vulnerabilities, thereby strengthening your overall security framework.. Debian Security Update, CVS Command Injection, Debian 7 Wheezy. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Aug 13, 2017 Critical Debian LTS
87

Debian: DSA-3940-1 Critical: CVS Arbitrary Command Execution

It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3940-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Sebastien Delafond August 13, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cvs CVE ID : CVE-2017-12836 Debian Bug : 871810 It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command. For the oldstable distribution (jessie), this problem has been fixed in version 2:1.12.13+real-15+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2:1.12.13+real-22+deb9u1. We recommend that you upgrade your cvs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Ubuntu Security Notice USN-4202-1 resolves a critical vulnerability in Git, allowing unauthorized code execution through malicious repositories.. CVS Security Update, Debian Bug Fix, Centralised Version Control, Command Execution Risk. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Aug 13, 2017 Critical Debian
91

Gentoo Linux: GLSA-201701-44 Normal: CVS Heap Overflow DoS Threat

A heap-based buffer overflow in CVS might allow remote attackers to execute arbitrary code.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CVS: Heap-based overflow Date: January 19, 2017 Bugs: #402593 ID: 201701-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A heap-based buffer overflow in CVS might allow remote attackers to execute arbitrary code. Background ========= CVS (Concurrent Versions System) is an open-source network-transparent version control system. It contains both a client utility and a server. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-vcs/cvs < 1.12.12-r11 > = 1.12.12-r11 Description ========== A heap-based buffer overflow was discovered in the proxy_connect function in src/client.c in CVS. Impact ===== An attacker, utilizing a remote HTTP proxy server, could cause a Denial of Service condition or possibly execute arbitrary code via a crafted HTTP response. Workaround ========= There is no known workaround at this time. Resolution ========= All CVS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-vcs/cvs-1.12.12-r11" References ========= [ 1 ] CVE-2012-0804 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0804 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-44 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Buffer overflow vulnerability in CVS could allow attackers to run arbitrary code, posing risks for Gentoo Linux systems. Users are strongly urged to update their packages promptly.. Heap-Based Overflow,Gentoo Security Advisory,CVS DoS Issue,Remote Exploit. . LinuxSecurity.com Team

Calendar%202 Jan 19, 2017 Gentoo
200

Scientific Linux Moderate Update: CVE-2012-0804 for cvs Buffer Overflow

Moderate: cvs security update. Date: Tue, 6 Mar 2012 14:48:30 -0600 Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it. Sender: Security Errata for Scientific Linux From: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: Security ERRATA Moderate: cvs on SL5.x, SL6.x i386/x86_64 Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it. Synopsis: Moderate: cvs security update Issue Date: 2012-02-21 CVE Numbers: CVE-2012-0804 Concurrent Version System (CVS) is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. (CVE-2012-0804) All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue. SL5: i386 cvs-1.11.22-11.el5_8.1.i386.rpm cvs-debuginfo-1.11.22-11.el5_8.1.i386.rpm cvs-inetd-1.11.22-11.el5_8.1.i386.rpm x86_64 cvs-1.11.22-11.el5_8.1.x86_64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.x86_64.rpm cvs-inetd-1.11.22-11.el5_8.1.x86_64.rpm SL6: i386 cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm x86_64 cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm - Scientific Linux Development Team . Enhance the current cvs packages on Scientific Linux to mitigate intermediate risks related to buffer overflow flaws.. cvs security update, Scientific Linux, moderate threat, buffer overflow. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Mar 06, 2012 Important Scientific Linux
172

Ubuntu 11.10 USN-1371-1 Urgent: Cvs Proxy Crash Vulnerability Issue

cvs could be made to crash or run programs as your login if it connected to a malicious proxy server.. =========================================================================Ubuntu Security Notice USN-1371-1 February 22, 2012 cvs vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: cvs could be made to crash or run programs as your login if it connected to a malicious proxy server. Software Description: - cvs: Concurrent Versions System Details: It was discovered that cvs incorrectly handled certain responses from proxy servers. If a user were tricked into connecting to a malicious proxy server, a remote attacker could cause cvs to crash, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: cvs 2:1.12.13+real-6ubuntu0.1 Ubuntu 11.04: cvs 1:1.12.13-12ubuntu1.11.04.1 Ubuntu 10.10: cvs 1:1.12.13-12ubuntu1.10.10.1 Ubuntu 10.04 LTS: cvs 1:1.12.13-12ubuntu1.10.04.1 In general, a standard system update will make all the necessary changes. References: CVE-2012-0804 Package Information: https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-6ubuntu0.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.11.04.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.10.10.1 https://launchpad.net/ubuntu/+source/cvs/1:1.12.13-12ubuntu1.10.04.1 . Ubuntu Security Notice USN-1371-2 describes the libxml2 vulnerability that has the potential to enable remote code execution via specific XML payloads.. ubuntu security notice,cvs update,proxy vulnerability,remote code execution. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Feb 22, 2012 Critical Ubuntu
98

Red Hat Enterprise Linux Versions 5 and 6: CVE-2012-0321 Moderate Risk

Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: cvs security update Advisory ID: RHSA-2012:0321-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2012:0321.html Issue date: 2012-02-21 CVE Names: CVE-2012-0804 ==================================================================== 1. Summary: Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Concurrent Version System (CVS) is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. (CVE-2012-0804) All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct thisissue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 784141 - CVE-2012-0804 cvs: client proxy_connect heap-based buffer overflow 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: cvs-1.11.22-11.el5_8.1.i386.rpm cvs-debuginfo-1.11.22-11.el5_8.1.i386.rpm cvs-inetd-1.11.22-11.el5_8.1.i386.rpm x86_64: cvs-1.11.22-11.el5_8.1.x86_64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.x86_64.rpm cvs-inetd-1.11.22-11.el5_8.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: i386: cvs-1.11.22-11.el5_8.1.i386.rpm cvs-debuginfo-1.11.22-11.el5_8.1.i386.rpm cvs-inetd-1.11.22-11.el5_8.1.i386.rpm ia64: cvs-1.11.22-11.el5_8.1.ia64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.ia64.rpm cvs-inetd-1.11.22-11.el5_8.1.ia64.rpm ppc: cvs-1.11.22-11.el5_8.1.ppc.rpm cvs-debuginfo-1.11.22-11.el5_8.1.ppc.rpm cvs-inetd-1.11.22-11.el5_8.1.ppc.rpm s390x: cvs-1.11.22-11.el5_8.1.s390x.rpm cvs-debuginfo-1.11.22-11.el5_8.1.s390x.rpm cvs-inetd-1.11.22-11.el5_8.1.s390x.rpm x86_64: cvs-1.11.22-11.el5_8.1.x86_64.rpm cvs-debuginfo-1.11.22-11.el5_8.1.x86_64.rpm cvs-inetd-1.11.22-11.el5_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server (v.6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm ppc64: cvs-1.11.23-11.el6_2.1.ppc64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.ppc64.rpm s390x: cvs-1.11.23-11.el6_2.1.s390x.rpm cvs-debuginfo-1.11.23-11.el6_2.1.s390x.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: i386: cvs-1.11.23-11.el6_2.1.i686.rpm cvs-debuginfo-1.11.23-11.el6_2.1.i686.rpm x86_64: cvs-1.11.23-11.el6_2.1.x86_64.rpm cvs-debuginfo-1.11.23-11.el6_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2012-0804 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPRBt+XlSAg2UNWIIRAh1BAJ9OfaVRa4INu5w7lyyeJj4BO/MgdwCeL5Sv DqDez2eNukKE/QVUjCcX3Xc=Crg2 -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Ubuntu unveils refreshed kernel modules with a low severity rating addressing a memory leak for improved stability.. Red Hat Enterprise Linux,cvs security update,buffer overflow fix,security advisory. . LinuxSecurity.com Team

Calendar%202 Feb 21, 2012 Red Hat
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200