[PLDSA 21-1] New cvs packages fix arbitrary code execution
Krzysiek Taraszka
dzimi at pld.org.pl
Thu Jan 30 14:12:16 CET 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 21-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
26 January 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to cvs-1.11.2-6
Vulnerability : doubly freed memory
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2003-0015
Stefan Esser discovered a problem in cvs, a concurrent versions
system, which is used for many Free Software projects. The current
version contais a flaw that can be used by a remote attacker to
execute arbitrary code on the CVS server under the user id the CVS
server runs as. Anonymous read-only access is sufficient to exploit
this problem.
The above problems have been fixed in version 1.11.5-2 for the
current stable distribution (ra).
We recommend that you upgrade your cvs packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'cvs*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'cvs*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/cvs-1.11.5-2.src.rpm
MD5 checksum: 76e0d795392dd0285b078c6322cb781a
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cvs-1.11.5-2.i386.rpm
MD5 checksum: 633b7064fc709b448101e2649aa33767
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cvs-pserver-1.11.5-2.i386.rpm
MD5 checksum: 7cee26911e833b4249a84ab751477b1d
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cvs-1.11.5-2.i586.rpm
MD5 checksum: 639a3caec4ca47d3bdc8b7dcb9c8d261
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cvs-pserver-1.11.5-2.i586.rpm
MD5 checksum: 1004a3b488b2e6783ab14535d76dfa24
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cvs-1.11.5-2.i686.rpm
MD5 checksum: e80d3c15b00f909b5dbc2726a9c9184a
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cvs-pserver-1.11.5-2.i686.rpm
MD5 checksum: c6cabebd92ee7e1425dd70df93d5ec38
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cvs-1.11.5-2.ppc.rpm
MD5 checksum: fe3d54a05221386ef73de61b4be2147f
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cvs-pserver-1.11.5-2.ppc.rpm
MD5 checksum: 8f45a3adceaf79508315c7ed04d83be7
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list