|
From: | Derek Robert Price |
Subject: | Re: CVS 1.11.5 Released <strong>(Security Update)</strong> |
Date: | Mon, 20 Jan 2003 16:55:52 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 |
Shankar Unni wrote:
CVS 1.11.5 has been released. This release fixes a major security vulnerability in CVS. The Common Vulnerabilities and Exposures project(cve.mitre.org <http://cve.mitre.org>) has assigned the name CAN-2003-0015 to this issue. See the text of CAN-2003-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015> for moreinformation.Looks like someone's marked the CVE entry as "reserved", so we have no idea what this is about. There are literally 0 details on the CVE site, except the candidate number (not even a one-line description or the product affected). Someone care to at least summarize what the vulnerability is?
The CVE data should show up soon. We were delaying update of the CVE site in order to make sure that a patch would be available before a general vulnerability announcement.
Without going into too much detail, the vulnerability allows read-only CVS users to execute arbitrary code as the user the CVS server executable is running as.
Again, the CVE site should be updated with more detail soon. Derek -- *8^) Email: derek@ximbiot.com Get CVS support at <http://ximbiot.com>! -- 73. ASCII a stupid question, get a stupid ANSI!
[Prev in Thread] | Current Thread | [Next in Thread] |