Security Issues with WinCVS, TortoiseCVS, CVSNT.

[Arthur Barrett]

If you are using CVS 1.10 or CVS 1.11 server *and* client this message
does not concern you.

Just a quick reminder that the 'old' versions of CVSNT 2.0 and 2.5
shipped with TortoiseCVS and WinCVS have known security vulnerabilities:
https://www.march-hare.com/cvspro/security.htm

If you are using WinCVS or TortoiseCVS, then CVSNT is the software that
actually does the 'checkout' and 'commit' operations - you can 'see' it
running in the 'progress' window.  CVSNT is bundled with some copies of
WinCVS and all copies of TortoiseCVS.  WinCVS is the 'GUI' that gives
you the drop down menus etc. and TortoiseCVS gives you the right click
menu and the dialog boxes, CVSNT does the version control.  

In particular the CVSNT client (and hence WinCVS and TortoiseCVS) is
susceptible to the recent 'FREAK' SSL bug.  CVSNT servers are also
affected:
https://www.march-hare.com/cvspro/freak.htm

CVS Suite 2009R2 (CVSNT 2.8.01) was updated on 30th March 2015 to
resolve this.  

CVS Suite 2009R2 client contains TortoiseCVS, WinCVS, CVS Suite Studio,
Release Manager etc. and is compatible with Windows 8, Windows 7,
Windows Vista and Windows XP.  

CVS Suite 2009R2 command line client is compatible with Windows, Mac and
Linux.

CVS Suite 2009R2 server contains the high performance server service,
integration with Jira, Bugzilla and Mantis, failsafe audit, change and
merge tracking and is compatible with Linux, Mac, and Windows Server
2012R2, Windows Server 2012, Windows Server 2008R2, Windows Server 2008
and Windows Server 2003.

For more information please contact address@hidden

Regards,


Arthur Barrett
Product Manager
March Hare Software
authors of CVSNT since 2004