Xin LI
2004-Jan-13 08:41 UTC
Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]
Greetings, Peter and the Security Officers team, There is a minor security vulnerability in cvs prior 1.11.10, as described in CAN-2003-0977: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the follows: http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch: http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html itojun has clarified the update on this post: http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html Then I posted a request on this list, having CC'ed to peter@, so@ and re@: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html Colin Percival then replied with a patch to mitigate the problem, which should be easy to audited: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html Unfortunately, before we have taken any steps (importing a new cvs version is not so trivial and I guess that's the reason why you have not done it), cvs 1.11.11 has been released, and imported into NetBSD: http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your information, is available on BugTraq: http://www.securityfocus.com/archive/1/348448 So would you please consider a similar action to be taken place in FreeBSD? Or, are we really not affected by this? Thanks in advance! Xin LI Repo-meister, Project Coordinator and Liaison The FreeBSD Simplified Chinese Project
Jacques A. Vidrine
2004-Jan-13 08:59 UTC
Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?]
On Wed, Jan 14, 2004 at 12:41:23AM +0800, Xin LI wrote:> So would you please consider a similar action to be taken place in > FreeBSD?CVS is Peter's baby, and I am loathe to touch it. Maybe he'll tell us his near-term plans. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se