Yellow Dog Security Advisory: YDU-20030127-6

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:24:49 -0700 (MST) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	cvs
Issue Date:	January 27, 2003
Priority:	high
Advisory ID: 	YDU-20030127-6


1. 	Topic:

	Updated cvs packages are available.


2. 	Problem:

	"CVS is a version control system frequently used to manage source code
	repositories. During an audit of the CVS sources, Stefan Esser
	discovered an exploitable double-free bug in the CVS server.

	On servers which are configured to allow anonymous read-only access, this
	bug could be used by anonymous users to gain write privileges. Users with
	CVS write privileges can then use the Update-prog and Checkin-prog features
	to execute arbitrary commands on the server.

	All users of CVS are advised to upgrade to these erratum packages which
	contain patches to correct the double-free bug."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install cvs

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/cvs-1.11.1p1-8.7.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
9652be9c12995d3873d20b7ce24ff3d6  ppc/cvs-1.11.1p1-8.7.ppc.rpm
b18b0548056f9778cbe85983fdd7fc93  SRPMS/cvs-1.11.1p1-8.7.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml