security advisoryupdatedebian
cvsweb is vulnerable to a remote shell exploit.. -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ Debian Security Advisory This email address is being protected from spambots. You need JavaScript enabled to view it. Debian -- Security Information Wichert Akkerman July 16, 2000 - ------------------------------------------------------------------------ Package: cvsweb Vulnerability type: remote shell Debian-specific: no The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user. The vulnerability is fixed in version 109 of cvsweb for the current stable release (Debian 2.1), in version 1.79-3potato1 for the frozen distribution, and in version 1.86-1 for the unstable distribution. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.1 alias slink - ------------------------------------ Source archives: MD5 checksum: b1810728310882fb72078674521ee369 MD5 checksum: 4c42ec3ba7248fc2499cdfaa6ae6b702 Architecture indendent archives: MD5 checksum: fe9144254ab224923ac627aef7ec2167 Debian GNU/Linux 2.2 alias potato - ------------------------------------- Please note that potato has not been released yet. Source archives: MD5 checksum: 9dcb469f5da602cd53e41258febba244 MD5 checksum: b4aceba93a6721486f8ca42f230c7271 MD5 checksum: c755a4c75d4c8844274458ae5953823b Binary package for all architectures: MD5 checksum: 1b89d61312925ee7934108c4f638d912 Debian GNU/Linux unstable alias woody - ------------------------------------- Please note that woody has not been released yet. Source archives: MD5 checksum: e3fc2117d689746eaa2cf4c8a701aa4e MD5 checksum: 0b2b9bf0b1fe39552da03698ba37bc36 MD5 checksum: ea93ed274ec6fbd49cec57c759747cb7 Binary package for all architectures: MD5 checksum: a99c605e0d77f1c56a82c95a3dc6d83f - -- - ---------------------------------------------------------------------------- For apt-get: deb Debian -- Security Information stable updates For dpkg-ftp: dists/stable/updates Mailing list: debian-security- This email address is being protected from spambots. You need JavaScript enabled to view it. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBOXFYwajZR/ntlUftAQH1KwL/WH/WLKH+OXFE/Ut+QDy5/NEEtjsAGn8K ptgWr+AFj9H4Ih/UoX//VfWKNpVNCZFfucFPd+ohFLiy+1yfrrCQMQXjgA7CYw2L w1Im7OXJBrK/y6NiiRNijCDOyC1nDofd =U5iJ -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------. cvsweb, vulnerable, remote, shell, exploit, -----begin, signed, message-----, ---------------. . Severity: Critical. LinuxSecurity.com Team
Jul 16, 2000
•Critical
Debian
Refine advisories
