Date: Wed, 14 Jan 2004 00:41:23 +0800 From: "Xin LI" <delphij@frontfree.net> To: <freebsd-security@freebsd.org> Cc: peter@FreeBSD.org Subject: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?] Message-ID: <02f201c3d9f4$15c51130$0401a8c0@phantasm205>
next in thread | raw e-mail | index | archive | help
Greetings, Peter and the Security Officers team, There is a minor security vulnerability in cvs prior 1.11.10, as described in CAN-2003-0977: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the follows: http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch: http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html itojun has clarified the update on this post: http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html Then I posted a request on this list, having CC'ed to peter@, so@ and re@: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html Colin Percival then replied with a patch to mitigate the problem, which should be easy to audited: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html Unfortunately, before we have taken any steps (importing a new cvs version is not so trivial and I guess that's the reason why you have not done it), cvs 1.11.11 has been released, and imported into NetBSD: http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your information, is available on BugTraq: http://www.securityfocus.com/archive/1/348448 So would you please consider a similar action to be taken place in FreeBSD? Or, are we really not affected by this? Thanks in advance! Xin LI Repo-meister, Project Coordinator and Liaison The FreeBSD Simplified Chinese Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02f201c3d9f4$15c51130$0401a8c0>