[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: <strong>CVS Security Vulnerability</strong>

From: Derek Robert Price
Subject: Re: <strong>CVS Security Vulnerability</strong>
Date: Tue, 25 May 2004 11:29:32 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413

Hash: SHA1

Code reviews are being conducted by interested parties.  Most of those
parties are not me and I have little information on their current


Richard Wesley wrote:

> Pardon me if this is an ignorant question, but is there going to be
a code audit starting from the date of the rooting of the server?
> At 5:08 PM -0400 5/24/04, Derek Robert Price wrote:

> Hi all,
> For those who don't know, cvshome.org is currently down because it was
> hacked, via its CVS server we believe.  cvshome.org was used to send
> an email that contains an exploit for the security vulnerabiliy
> CAN-2004-0396
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396>
> patched in releases 1.11.16 & 1.12.8.
> The email with the exploit is here:
> Our working theory is that cvshome.org was abused to send the email
> using a root kit installed prior to the patching of its CVS server for
> CAN-2004-0396.
> Note that this vulnerability requires a valid login id & password on
> the CVS server to exploit, but that even an anonymous & read-only
> account is sufficient.  This vulnerability also applies to any CVS
> server, post-authentication.  A CVS server accessed via pserver, ssh,
> or any other method will be equally vulnerable.
> I recommend that any CVS server running a release of CVS earlier than
> 1.11.16 or 1.12.8 be taken down immediately and patched.
> cvshome.org should be back up shortly but it may be some time before
> anonymous read-only access is reenabled.  Thanks go out to the folks
> at CollabNet for all the time they have been spending on this.
> Derek
Info-cvs mailing list

> Best regards,

> Richard Wesley
> Co-President, Electric Fish, Inc.
> <http://www.electricfish.com/>
> (v) +1-206-493-1690x210
> (f) +1-206-493-1697
> (h) +1-206-632-4536
> (m) +1-206-409-4536

- --

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


reply via email to

[Prev in Thread] Current Thread [Next in Thread]