Dmitry Pryanishnikov
2004-Sep-14 01:16 UTC
multiple vulnerabilities in the cvs server code
Hello! Port security/portaudit reports the following problem: Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.htm l> Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf I have 2 related questions: 1) What are current plans to fix these vulnerabilities? 2) Are the FreeBSD public CVS servers trustworthy now? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Dmitry Pryanishnikov
2004-Sep-14 06:37 UTC
multiple vulnerabilities in the cvs server code
Hello! On Tue, 14 Sep 2004, Volker Stolz wrote:>> Type of problem: multiple vulnerabilities in the cvs server code. >> 1) What are current plans to fix these vulnerabilities? > > The related security advisory [SA] was already published in May: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc > (SAs are available from the project's front page).As I read in this SA, this vulnerability was fixed on 2004-05-20, before 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit still complains about FreeBSD-491000. Probably, wrong check in auditfile? Also, it would be nice if such an advisories advance kern.osreldate, so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11, which isn't vulnerable to this problem, but kern.osreldate is still 490000 there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't bump src/sys/sys/param.h? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE