Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]

From: Xin LI (delphij_at_frontfree.net)
Date: 01/13/04

Next message: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"

Previous message: Dag-Erling Smørgrav: "Re: pam_chroot"
Next in thread: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"
Reply: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <freebsd-security@freebsd.org>
Date: Wed, 14 Jan 2004 00:41:23 +0800

Greetings, Peter and the Security Officers team,

There is a minor security vulnerability in cvs prior 1.11.10, as described
in CAN-2003-0977:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977

On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the
follows:
http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html
http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html

After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch:
http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html
http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html

itojun has clarified the update on this post:
http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html

Then I posted a request on this list, having CC'ed to peter@, so@ and re@:

http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html

Colin Percival then replied with a patch to mitigate the problem, which
should be easy to audited:

http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html

Unfortunately, before we have taken any steps (importing a new cvs version
is not so trivial and I guess that's the reason why you have not done it),
cvs 1.11.11 has been released, and imported into NetBSD:

http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html
http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html

Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your
information, is available on BugTraq:
http://www.securityfocus.com/archive/1/348448

So would you please consider a similar action to be taken place in FreeBSD?
Or, are we really not affected by this?

Thanks in advance!

Xin LI
Repo-meister, Project Coordinator and Liaison
The FreeBSD Simplified Chinese Project

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"

Previous message: Dag-Erling Smørgrav: "Re: pam_chroot"
Next in thread: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"
Reply: Jacques A. Vidrine: "Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]