Request to upgrade cvs in FreeBSD [New stable cvs release fixing
new vulnerability?]
Xin LI
delphij at frontfree.net
Tue Jan 13 08:41:33 PST 2004
Greetings, Peter and the Security Officers team,
There is a minor security vulnerability in cvs prior 1.11.10, as described
in CAN-2003-0977:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the
follows:
http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html
http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html
After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch:
http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html
http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html
itojun has clarified the update on this post:
http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html
Then I posted a request on this list, having CC'ed to peter@, so@ and re@:
http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html
Colin Percival then replied with a patch to mitigate the problem, which
should be easy to audited:
http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html
Unfortunately, before we have taken any steps (importing a new cvs version
is not so trivial and I guess that's the reason why you have not done it),
cvs 1.11.11 has been released, and imported into NetBSD:
http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html
http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html
Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your
information, is available on BugTraq:
http://www.securityfocus.com/archive/1/348448
So would you please consider a similar action to be taken place in FreeBSD?
Or, are we really not affected by this?
Thanks in advance!
Xin LI
Repo-meister, Project Coordinator and Liaison
The FreeBSD Simplified Chinese Project
More information about the freebsd-security
mailing list