[Full-Disclosure] Re: [RHSA-2004:003-01] Updated CVS packages fix minor security issue

From: Caylan Larson (caylan_at_aero.und.edu)
Date: 01/12/04

  • Next message: Nico Golde: "Re: [Full-Disclosure] auditing / logging while performing pen test"
    To: bugzilla@redhat.com
    Date: Mon, 12 Jan 2004 12:22:01 -0600
    
    

    Minor... let's not worry about it. No one uses cvs anyways.

    Caylan Van Larson
    Linux Administrator
       UND Aerospace

    On Jan 12, 2004, at 9:44 AM, bugzilla@redhat.com wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > - ---------------------------------------------------------------------
    > Red Hat Security Advisory
    >
    > Synopsis: Updated CVS packages fix minor security issue
    > Advisory ID: RHSA-2004:003-01
    > Issue date: 2004-01-05
    > Updated on: 2004-01-09
    > Product: Red Hat Linux
    > Keywords:
    > Cross references:
    > Obsoletes:
    > CVE Names: CAN-2003-0977
    > - ---------------------------------------------------------------------
    >
    > 1. Topic:
    >
    > Updated cvs packages closing a vulnerability that could allow cvs to
    > attempt to create files and directories in the root file system are now
    > available.
    >
    > 2. Relevant releases/architectures:
    >
    > Red Hat Linux 9 - i386
    >
    > 3. Problem description:
    >
    > CVS is a version control system frequently used to manage source code
    > repositories.
    >
    > A flaw was found in versions of CVS prior to 1.11.10 where a malformed
    > module request could cause the CVS server to attempt to create files or
    > directories at the root level of the file system. However, normal file
    > system permissions would prevent the creation of these misplaced
    > directories. The Common Vulnerabilities and Exposures project
    > (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.
    >
    > Users of CVS are advised to upgrade to these erratum packages, which
    > contain a patch correcting this issue.
    >
    > 4. Solution:
    >
    > Before applying this update, make sure all previously released errata
    > relevant to your system have been applied.
    >
    > To update all RPMs for your particular architecture, run:
    >
    > rpm -Fvh [filenames]
    >
    > where [filenames] is a list of the RPMs you wish to upgrade. Only
    > those
    > RPMs which are currently installed will be updated. Those RPMs which
    > are
    > not installed but included in the list will not be updated. Note that
    > you
    > can also use wildcards (*.rpm) if your current directory *only*
    > contains the
    > desired RPMs.
    >
    > Please note that this update is also available via Red Hat Network.
    > Many
    > people find this an easier way to apply updates. To use Red Hat
    > Network,
    > launch the Red Hat Update Agent with the following command:
    >
    > up2date
    >
    > This will start an interactive process that will result in the
    > appropriate
    > RPMs being upgraded on your system.
    >
    > 5. RPMs required:
    >
    > Red Hat Linux 9:
    >
    > SRPMS:
    > ftp://updates.redhat.com/9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
    >
    > i386:
    > ftp://updates.redhat.com/9/en/os/i386/cvs-1.11.2-13.i386.rpm
    >
    >
    >
    > 6. Verification:
    >
    > MD5 sum Package Name
    > -
    > -----------------------------------------------------------------------
    > ---
    > d6a3c1f6e8403e5d069ab124b3b8ab86 9/en/os/SRPMS/cvs-1.11.2-13.src.rpm
    > e6919ce0f562781a3926107d932becee 9/en/os/i386/cvs-1.11.2-13.i386.rpm
    >
    >
    > These packages are GPG signed by Red Hat for security. Our key is
    > available from https://www.redhat.com/security/keys.html
    >
    > You can verify each package with the following command:
    >
    > rpm --checksig -v <filename>
    >
    > If you only wish to verify that each package has not been corrupted or
    > tampered with, examine only the md5sum with the following command:
    >
    > md5sum <filename>
    >
    >
    > 7. References:
    >
    > http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
    > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
    >
    > 8. Contact:
    >
    > The Red Hat security contact is <secalert@redhat.com>. More contact
    > details at https://www.redhat.com/solutions/security/news/contact.html
    >
    > Copyright 2003 Red Hat, Inc.
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.0.7 (GNU/Linux)
    >
    > iD8DBQFAAsDuXlSAg2UNWIIRAjaHAJ4w+12/x0qnX3Co3ADAQqYoX71FjQCgue5S
    > 9AQ3nhetRLJgJMyB5NZRJuY=
    > =eOLt
    > -----END PGP SIGNATURE-----
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Nico Golde: "Re: [Full-Disclosure] auditing / logging while performing pen test"

    Relevant Pages