>>>>> "GAW" == Greg A Woods <[EMAIL PROTECTED]> writes:
>> http://alexm.here.ru/cvs-nserver/
>> That looks like a really good idea.
GAW> Be warned that if used in the scenario where it provides "virtual
GAW> repositories" it suffers the exact same design flaws (and is thus
GAW> at least equally insecure) as cvspserver.
GAW> See the recent thread on BUGTRAQ where someone "exposed" the
GAW> insecurities of cvspserver.
I've always thought that this is not limited to pserver itself. cvs
over rsh/ssh should also suffer from this problem, because
"Checkin-prog"/"Update-prog" are not parts of ":pserver:" protocol.
They are parts of the "CVS client/server protocol", as described in
cvsclient.info.
":pserver:" protocol covers only parts between "BEGIN AUTH REQUEST"
and "END AUTH REQUEST", that consists mostly of sending login name and
password.
So the "design flaw" is just in so much trusting strings passed by
remote clients and not in the :pserver: architecture, which is
adequate enough.
So when that will be fixed (and the simplest patch is included into
the advisory), cvs-nserver will too be fixed. For now I will not
release patched version of cvs-nserver until something more official
about it comes out (cvs-1.10.9, for example).
--alexm
