[Debian-sf-users] cvsweb and CVE-2000-0670

debian-sf-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Debian-sf-users] cvsweb and CVE-2000-0670

From:	Lee Sheridan
Subject:	[Debian-sf-users] cvsweb and CVE-2000-0670
Date:	Wed, 9 Apr 2003 12:59:10 -0400
User-agent:	Mutt/1.3.28i

Hi.  I'm setting up a SF site, based on the current debian-sf 2.6 out of
CVS.

Part of our local policy for newly network attached systems is an ISS or
Nessus scan.  Nessus is complaining that "The remote cvsweb is older or
as old as version 1.85", and points to CVE-2000-0670.

The Bugtraq message is here:

  http://www.securityfocus.com/archive/1/69942/2000-07-06/2000-07-12/0

Looking at the sf code, I see that parts of cvsweb were integrated into
the Debian tree.

Quoting /sourceforge-2.6/deb-specific/cvsweb/cvsweb.cgi:

 # Based on:
 # * Bill Fenners cvsweb.cgi revision 1.28 available from:
 #   http://www.freebsd.org/cgi/cvsweb.cgi/www/en/cgi/cvsweb.cgi

So my question is -- was this vulnerability patched in the debian-sf
branch of the cvsweb code, or irrelavent in the debian-sf code?  I admit
to not being a good enough coder to confidently proclaim that I consider
it to be a false positive.

Thanks in advance.

-- 
Lee Sheridan                            301.286.5898 voice
NASA / Goddard Space Flight Center      address@hidden
Computer Sciences Corporation           Building 28, Room S241
Code 931

[Prev in Thread]

Current Thread

[Next in Thread]

[Debian-sf-users] cvsweb and CVE-2000-0670, Lee Sheridan <=
- Re: [Debian-sf-users] cvsweb and CVE-2000-0670, Justin Richer, 2003/04/09

Prev by Date: [Debian-sf-users] Code snippets
Next by Date: Re: [Debian-sf-users] cvsweb and CVE-2000-0670
Previous by thread: [Debian-sf-users] code snippets
Next by thread: Re: [Debian-sf-users] cvsweb and CVE-2000-0670
Index(es):
- Date
- Thread