debian-sf-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Debian-sf-users] cvsweb and CVE-2000-0670

From: Justin Richer
Subject: Re: [Debian-sf-users] cvsweb and CVE-2000-0670
Date: Wed, 9 Apr 2003 23:57:34 -0400 
I've run into this problem at my organization as well (MITRE), and here's
what I've found out:

The cvsweb script in Debian-SF is based on version 1.112 (which is several
revisions above 1.85, as you can see). The problem lies in how Nessus
determines the version of cvsweb: It uses an HTML comment in the generated
output of the cvsweb pages that contains an expanded $Revision$ CVS tag.
This is a very broken way of reporting the version, because the instant it
is checked into another CVS repository (as happened with Debian-SF) the
apparent version changes, and in our case effectively re-sets to 1.2. A
little research dug up that not only is version 1.2 very old, it was also
(as far as I can gather) in German, making it rather unfit for our purposes
here :). I'm not even sure if it was publicly released, actually. But that's
all a moot point. To answer, yes, the version is secure.

On another note, I've recently done some work to integrate Chora into our
version of SF here, but:
  1) It's based on 2.5
  2) It relies on a bunch of changes to the theme architecture
  3) It also makes use of our security system

I'll gladly submit things back, but since we're supporting a 2.5-based site,
I gathered there wasn't much interest in our code.

 -- Justin

----- Original Message -----
From: "Lee Sheridan" <address@hidden>
To: <address@hidden>
Sent: Wednesday, April 09, 2003 12:59 PM
Subject: [Debian-sf-users] cvsweb and CVE-2000-0670


> Hi.  I'm setting up a SF site, based on the current debian-sf 2.6 out of
> CVS.
>
> Part of our local policy for newly network attached systems is an ISS or
> Nessus scan.  Nessus is complaining that "The remote cvsweb is older or
> as old as version 1.85", and points to CVE-2000-0670.
>
> The Bugtraq message is here:
>
>   http://www.securityfocus.com/archive/1/69942/2000-07-06/2000-07-12/0
>
> Looking at the sf code, I see that parts of cvsweb were integrated into
> the Debian tree.
>
> Quoting /sourceforge-2.6/deb-specific/cvsweb/cvsweb.cgi:
>
>  # Based on:
>  # * Bill Fenners cvsweb.cgi revision 1.28 available from:
>  #   http://www.freebsd.org/cgi/cvsweb.cgi/www/en/cgi/cvsweb.cgi
>
> So my question is -- was this vulnerability patched in the debian-sf
> branch of the cvsweb code, or irrelavent in the debian-sf code?  I admit
> to not being a good enough coder to confidently proclaim that I consider
> it to be a false positive.
>
> Thanks in advance.
>
> --
> Lee Sheridan                            301.286.5898 voice
> NASA / Goddard Space Flight Center      address@hidden
> Computer Sciences Corporation           Building 28, Room S241
> Code 931
>
>
> _______________________________________________
> Debian-sf-users mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/debian-sf-users
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]