bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: <strong>CVS Security Vulnerability</strong>

From: Derek Robert Price
Subject: Re: <strong>CVS Security Vulnerability</strong>
Date: Tue, 25 May 2004 11:29:32 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Code reviews are being conducted by interested parties.  Most of those
parties are not me and I have little information on their current
progress.

Derek

Richard Wesley wrote:

> Pardon me if this is an ignorant question, but is there going to be
a code audit starting from the date of the rooting of the server?
>
> At 5:08 PM -0400 5/24/04, Derek Robert Price wrote:
>

> Hi all,
>
> For those who don't know, cvshome.org is currently down because it was
> hacked, via its CVS server we believe.  cvshome.org was used to send
> an email that contains an exploit for the security vulnerabiliy
> CAN-2004-0396
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396>
> patched in releases 1.11.16 & 1.12.8.
>
> The email with the exploit is here:
>
<http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c>.
>
> Our working theory is that cvshome.org was abused to send the email
> using a root kit installed prior to the patching of its CVS server for
> CAN-2004-0396.
>
> Note that this vulnerability requires a valid login id & password on
> the CVS server to exploit, but that even an anonymous & read-only
> account is sufficient.  This vulnerability also applies to any CVS
> server, post-authentication.  A CVS server accessed via pserver, ssh,
> or any other method will be equally vulnerable.
>
> I recommend that any CVS server running a release of CVS earlier than
> 1.11.16 or 1.12.8 be taken down immediately and patched.
>
> cvshome.org should be back up shortly but it may be some time before
> anonymous read-only access is reenabled.  Thanks go out to the folks
> at CollabNet for all the time they have been spending on this.
>
> Derek
>
>>
>>
>>
_______________________________________________
Info-cvs mailing list
Info-cvs@gnu.org
http://mail.gnu.org/mailman/listinfo/info-cvs

> Best regards,

> Richard Wesley
> Co-President, Electric Fish, Inc.
> <http://www.electricfish.com/>
> (v) +1-206-493-1690x210
> (f) +1-206-493-1697
> (h) +1-206-632-4536
> (m) +1-206-409-4536



- --
                *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAs2ZbLD1OTBfyMaQRApgEAKDrQAI1yvkR0viU16BBB2nXglWdaQCgzMq4
K74+rS22JXFwon59wduQ7mg=
=aBj1
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]