Home > Security > Advisories

Advisories

Mandriva Advisories

Package name cvs
Date December 8th, 2003
Advisory ID MDKSA-2003:112
Affected versions 9.0, 9.1, 9.2, CS2.1
Synopsis Updated cvs packages fix malformed module request vulnerability

Problem Description

A vulnerability was discovered in the CVS server < 1.11.10 where a
malformed module request could cause the CVS server to attempt to
create directories and possibly files at the root of the filesystem
holding the CVS repository.

Updated packages are available that fix the vulnerability by providing
CVS 1.11.10 on all supported distributions.

Updated Packages

Mandrakelinux 9.0

 5806c1f58d1a4b50071c4e8eabf8ca70  9.0/RPMS/cvs-1.11.10-0.1.90mdk.i586.rpm
34d0619fb9a4b33bc267077ec53c4325  9.0/SRPMS/cvs-1.11.10-0.1.90mdk.src.rpm

Mandrakelinux 9.1

 09a0e4a98785f7c280721f8da9464d56  9.1/RPMS/cvs-1.11.10-0.1.91mdk.i586.rpm
bdc1ec67c325d52513e363a65d4966f4  9.1/SRPMS/cvs-1.11.10-0.1.91mdk.src.rpm

Mandrakelinux 9.1/PPC

 a98001e93bb247876fb43da2b605bec6  ppc/9.1/RPMS/cvs-1.11.10-0.1.91mdk.ppc.rpm
bdc1ec67c325d52513e363a65d4966f4  ppc/9.1/SRPMS/cvs-1.11.10-0.1.91mdk.src.rpm

Mandrakelinux 9.2

 449dd893fe2f4be99720e6429291bcd9  9.2/RPMS/cvs-1.11.10-0.1.92mdk.i586.rpm
65182f4e05d59d8fc849e638b938cf25  9.2/SRPMS/cvs-1.11.10-0.1.92mdk.src.rpm

Corporate Server 2.1

 3df2e61371a43ace630867b785bdd2c8  corporate/2.1/RPMS/cvs-1.11.10-0.1.C21mdk.i586.rpm
60da7875867b5162d6289124e20f56f3  corporate/2.1/SRPMS/cvs-1.11.10-0.1.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 2a052c43d454d6b5839c45106ebd78c6  x86_64/corporate/2.1/RPMS/cvs-1.11.10-0.1.C21mdk.x86_64.rpm
60da7875867b5162d6289124e20f56f3  x86_64/corporate/2.1/SRPMS/cvs-1.11.10-0.1.C21mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.