Date: Wed, 5 Feb 2003 07:27:25 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Ben Stuyts <ben@altus-escon.com> Cc: security@FreeBSD.ORG Subject: Re: cvs security fix not in RELENG_4? Message-ID: <20030205132725.GD65577@opus.celabo.org> In-Reply-To: <200302051315.OAA19437@giskard.altus-escon.com> References: <200302051315.OAA19437@giskard.altus-escon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 05, 2003 at 02:15:27PM +0100, Ben Stuyts wrote: > Hi, > > Regarding the security advisory concerning the remotely exploitable > vulnerability in cvs server: > > I am running a 4-stable system with a cvs tag of RELENG_4 here. According to > the advisory, this system is vulnerable. The advisory says that RELENG_4 is NOT VULNERABLE as of `2003-01-21 22:26:46 UTC'. > However, I cannot find a fix for this in the RELENG_4 branch. Yes you can. :-) You found it: > The affected file server.c has a cvs id of 1.13.2.5 dated 2003/01/21. > Nothing else has been committed since on this branch. That revision contains the fix. Compare the diff with the one referenced from the advisory. <URL: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/cvs/src/server.c.diff?r1=1.13.2.4&r2=1.13.2.5 > <URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:01/cvs.patch > > Am I overlooking something? The security problem was fixed with an upgrade to CVS 1.11.5 in -CURRENT and -STABLE. It was fixed with a simple patch in the security branches. Cheers, -- Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030205132725.GD65577>