Your message dated Wed, 27 Apr 2005 03:47:03 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#305254: fixed in cvs 1:1.12.9-13
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Apr 2005 21:45:10 +0000
>From [EMAIL PROTECTED] Mon Apr 18 14:45:10 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DNe3K-0001Zc-00; Mon, 18 Apr 2005 14:45:10 -0700
Received: from p548955df.dip.t-dialin.net ([84.137.85.223]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DNe3I-0002B1-BA
for [EMAIL PROTECTED]; Mon, 18 Apr 2005 23:45:08 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DNe3B-0001gJ-LX; Mon, 18 Apr 2005 23:45:01 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: cvs: Several security issues in CVS
X-Mailer: reportbug 3.9
Date: Mon, 18 Apr 2005 23:45:01 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.85.223
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: cvs
Version: 1:1.12.9-11
Severity: grave
Tags: security
Justification: user security hole
CVS 1.12.12 fixes several security issues:
* Thanks to a report from Alen Zukich <[EMAIL PROTECTED]>, several minor
security issues have been addressed. One was a buffer overflow that is
potentially serious but which may not be exploitable, assigned CAN-2005-0753
by the Common Vulnerabilities and Exposures Project
<[41]http://www.cve.mitre.org>. Other fixes resulting from Alen's report
include
repair of an arbitrary free with no known exploit and several plugged memory
leaks and potentially freed NULL pointers which may have been exploitable for
a denial of service attack.
* Thanks to a report from Craig Monson <[EMAIL PROTECTED]>, minor
potential vulnerabilities in the contributed Perl scripts have been fixed.
The confirmed vulnerability could allow the execution of arbitrary code on
the CVS server, but only if a user already had commit access and if one of
the contrib scripts was installed improperly, a condition which should have
been quickly visible to any administrator. The complete description of the
problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>. If
you were making use of any of the contributed trigger scripts on a CVS
server, you should probably still replace them with the new versions, to be
on the safe side.
Unfortunately, our fix is incomplete. Taint-checking has been enabled in all
the contributed Perl scripts intended to be run as trigger scripts, but no
attempt has been made to ensure that they still run in taint mode. You will
most likely have to tweak the scripts in some way to make them run. Please
send any patches you find necessary back to <[EMAIL PROTECTED]> so that we may
again ship fully enabled scripts in the future.
You should also make sure that any home-grown Perl scripts that you might
have installed as CVS triggers also have taint-checking enabled. This can be
done by adding `-T' on the scripts' #! lines. Please try running
`perldoc perlsec' if you would like more information on general Perl security
and taint-checking.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages cvs depends on:
ii debconf 1.4.48 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information excluded
---------------------------------------
Received: (at 305254-close) by bugs.debian.org; 27 Apr 2005 07:54:21 +0000
>From [EMAIL PROTECTED] Wed Apr 27 00:54:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DQhNE-0007mU-00; Wed, 27 Apr 2005 00:54:20 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DQhGB-0002cA-00; Wed, 27 Apr 2005 03:47:03 -0400
From: Steve McIntyre <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#305254: fixed in cvs 1:1.12.9-13
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 27 Apr 2005 03:47:03 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: cvs
Source-Version: 1:1.12.9-13
We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive:
cvs_1.12.9-13.diff.gz
to pool/main/c/cvs/cvs_1.12.9-13.diff.gz
cvs_1.12.9-13.dsc
to pool/main/c/cvs/cvs_1.12.9-13.dsc
cvs_1.12.9-13_alpha.deb
to pool/main/c/cvs/cvs_1.12.9-13_alpha.deb
cvs_1.12.9-13_i386.deb
to pool/main/c/cvs/cvs_1.12.9-13_i386.deb
cvs_1.12.9-13_ia64.deb
to pool/main/c/cvs/cvs_1.12.9-13_ia64.deb
cvs_1.12.9-13_mips.deb
to pool/main/c/cvs/cvs_1.12.9-13_mips.deb
cvs_1.12.9-13_powerpc.deb
to pool/main/c/cvs/cvs_1.12.9-13_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[EMAIL PROTECTED]> (supplier of updated cvs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Apr 2005 00:55:57 +0100
Source: cvs
Binary: cvs
Architecture: alpha i386 ia64 mips powerpc source
Version: 1:1.12.9-13
Distribution: unstable
Urgency: high
Maintainer: Steve McIntyre <[EMAIL PROTECTED]>
Changed-By: Steve McIntyre <[EMAIL PROTECTED]>
Description:
cvs - Concurrent Versions System
Closes: 305254
Changes:
cvs (1:1.12.9-13) unstable; urgency=high
.
* Security fixes, hence high urgency.
* Fixes for CAN-2005-0753:
+ Buffer overflow
+ Arbitrary free() call
+ Potential NULL dereference
* Fixes for contrib perl scripts
* Closes: #305254
Files:
30856918fdcbe6d673b3bdfdcb282b02 1444386 devel optional cvs_1.12.9-13_i386.deb
3cf1cfcb5eadd98fe273eeebe95fb90d 1602686 devel optional cvs_1.12.9-13_ia64.deb
8df840f5f09dc0670a51f74ce7fe3077 695 devel optional cvs_1.12.9-13.dsc
bfad77ad2af9bccedc0ec09f8f719933 1463028 devel optional
cvs_1.12.9-13_powerpc.deb
de78534409951b641c81e59c16315225 1471640 devel optional cvs_1.12.9-13_mips.deb
f45d1b0525e46a69f43a5dd2b023cfdf 66710 devel optional cvs_1.12.9-13.diff.gz
fba155872863955060a2ab629927da5e 1526552 devel optional cvs_1.12.9-13_alpha.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCbz7LfDt5cIjHwfcRAjagAKCLNiyY1fiw/oJhp6+yGzp66/DvwQCeNk47
JdPgKjQJEpwqVI5dOZdk8so=
=4XVL
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
