Yellow Dog Security Advisory: YDU-20030127-6
yellowdog-updates@lists.terrasoftsolutions.com
yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:24:49 -0700 (MST)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: cvs
Issue Date: January 27, 2003
Priority: high
Advisory ID: YDU-20030127-6
1. Topic:
Updated cvs packages are available.
2. Problem:
"CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to these erratum packages which
contain patches to correct the double-free bug."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install cvs
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/cvs-1.11.1p1-8.7.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
9652be9c12995d3873d20b7ce24ff3d6 ppc/cvs-1.11.1p1-8.7.ppc.rpm
b18b0548056f9778cbe85983fdd7fc93 SRPMS/cvs-1.11.1p1-8.7.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml