info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</stron


From: Kayed Alfi
Subject: Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>
Date: Tue, 16 Dec 2003 05:41:16 -0800 (PST)

Please tell me or point me to documentation on how to
upgrade my version of CVS if I am using wincvs 1.3.
?

Thanks,
--- Derek Robert Price <address@hidden> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Steve McIntyre wrote:
> 
> >On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek
> Robert Price wrote:
> >
> >>CVS feature version 1.12.3 has been released. 
> Feature releases contain
> >>new features as well as all the bug fixes from the
> stable release.  This
> >>release fixes a security issue with no known
> exploits that could cause
> >>previous versions of CVS to attempt to create
> files and directories in
> >>the filesystem root.  This release also fixes
> several issues relevant to
> >>case insensitive filesystems and some other bugs. 
> We recommend this
> >>upgrade for all CVS clients and servers already
> running the feature
> >>release and those users who like to stay on the
> cutting edge!
> >
> >
> >Derek, are you sure the simple fix in modules.c to
> check for
> >!isabsolute() will fix the hole here? What about
> people specifying
> >../../../../../../<something> ? Probably the
> easiest fix for that is
> >to modify isabsolute() to check for .. entries in
> the path
> >specified.
> >
> >Thoughts?
> 
> 
> If you can send me a reproducible case where CVS
> doesn't abort with an
> error, I'll be happy to look into it, but I am
> pretty sure CVS has been
> catching the indirection case for years.  Go ahead
> and try it.
> 
> Derek
> 
> - --
>                 *8^)
> 
> Email: address@hidden
> 
> Get CVS support at <http://ximbiot.com>!
> - --
> I will return the seeing-eye dog.
> I will return the seeing-eye dog.
> I will return the seeing-eye dog...
> 
>           - Bart Simpson on chalkboard, _The
> Simpsons_
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Using GnuPG with Netscape -
> http://enigmail.mozdev.org
> 
>
iD8DBQE/3nr+LD1OTBfyMaQRAlquAJ4yytDbls+IFIGo3ylQWstqC+0MAgCgvY+b
> WOb43T30fO3bVNDW18p5x04=
> =RV9Q
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> _______________________________________________
> Info-cvs mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/info-cvs


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree




reply via email to

[Prev in Thread] Current Thread [Next in Thread]