OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 11-Jun-2004 10:12:39 Branch: HEAD Handle: -NONE- Added files: openpkg-web/security OpenPKG-SA-2004.027-cvs.txt Modified files: openpkg-web security.txt security.wml Log: OpenPKG-SA-2004.027-cvs, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 Summary: Revision Changes Path 1.82 +0 -0 openpkg-web/security.txt 1.102 +0 -0 openpkg-web/security.wml 1.1 +79 -0 openpkg-web/security/OpenPKG-SA-2004.027-cvs.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security.txt ============================================================================ $ cvs diff -u -r1.81 -r1.82 security.txt --- openpkg-web/security.txt 5 Jun 2004 11:33:51 -0000 1.81 +++ openpkg-web/security.txt 11 Jun 2004 08:12:38 -0000 1.82 @@ -1,3 +1,4 @@ +10-Jun-2004: Security Advisory: S<OpenPKG-SA-2004.027-cvs> 27-May-2004: Security Advisory: S<OpenPKG-SA-2004.026-apache> 21-May-2004: Security Advisory: S<OpenPKG-SA-2004.025-rsync> 19-May-2004: Security Advisory: S<OpenPKG-SA-2004.024-neon> @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml ============================================================================ $ cvs diff -u -r1.101 -r1.102 security.wml --- openpkg-web/security.wml 5 Jun 2004 11:33:51 -0000 1.101 +++ openpkg-web/security.wml 11 Jun 2004 08:12:38 -0000 1.102 @@ -76,6 +76,7 @@ </define-tag> <box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5"> <table cellspacing=0 cellpadding=0 border=0> + <sa 2004.027 cvs> <sa 2004.026 apache> <sa 2004.025 rsync> <sa 2004.024 neon> @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.027-cvs.txt ============================================================================ $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.027-cvs.txt --- /dev/null 2004-06-11 10:12:39.000000000 +0200 +++ OpenPKG-SA-2004.027-cvs.txt 2004-06-11 10:12:39.000000000 +0200 @@ -0,0 +1,79 @@ +#FIXME, this is a template +#FIXME, the first three lines are just dummies +#FIXME, to help comparing this against sibling signed documents +________________________________________________________________________ + +OpenPKG Security Advisory The OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2004.027 11-Jun-2004 +________________________________________________________________________ + +Package: cvs +Vulnerability: multiple remote compromises +OpenPKG Specific: no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= cvs-1.12.8-20040607 >= cvs-1.12.9-20040609 +OpenPKG 2.0 <= cvs-1.12.5-2.0.2 >= cvs-1.12.5-2.0.3 +OpenPKG 1.3 <= cvs-1.12.1-1.3.5 >= cvs-1.12.1-1.3.6 + +Affected Releases: Dependent Packages: none + +Description: + According to an e-matters Security Advisory [0] multiple remote + vulnerabilities exists in the Concurrent Versions System (CVS) [1] + which allow remote compromise of CVS servers. Derek Price, Stefan + Esser and Sebastian Krahmer discovered and fixed several security + issues. The Common Vulnerabilities and Exposures (CVE) project + assigned the ids CAN-2004-0414 [2], CAN-2004-0416 [3], CAN-2004-0417 + [4] and CAN-2004-0418 [5] to the problems. + + Please check whether you are affected by running "<prefix>/bin/rpm -q + cvs". If you have the "cvs" package installed and its version is + affected (see above), we recommend that you immediately upgrade + it (see Solution). [6][7] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror + location, verify its integrity [12], build a corresponding binary RPM + from it [6] and update your OpenPKG installation by applying the + binary RPM [7]. For the most recent release OpenPKG 2.0, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.0/UPD + ftp> get cvs-1.12.5-2.0.3.src.rpm + ftp> bye + $ <prefix>/bin/openpkg rpm -v --checksig cvs-1.12.5-2.0.3.src.rpm + $ <prefix>/bin/openpkg rpm --rebuild cvs-1.12.5-2.0.3.src.rpm + $ su - + # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/cvs-1.12.5-2.0.3.*.rpm +________________________________________________________________________ + +References: + [0] http://security.e-matters.de/advisories/092004.html + [1] http://www.cvshome.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0414 + [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0416 + [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417 + [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0418 + [6] http://www.openpkg.org/tutorial.html#regular-source + [7] http://www.openpkg.org/tutorial.html#regular-binary + [8] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.6.src.rpm + [9] ftp://ftp.openpkg.org/release/2.0/UPD/cvs-1.12.5-2.0.3.src.rpm + [10] ftp://ftp.openpkg.org/release/1.3/UPD/ + [11] ftp://ftp.openpkg.org/release/2.0/UPD/ + [12] http://www.openpkg.org/security.html#signature +________________________________________________________________________ + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. +________________________________________________________________________ + @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]