| Jeff Abrahamson on 28 May 2004 11:26:02 -0000 |
|
On Fri, May 28, 2004 at 11:45:29AM +0530, McLinux wrote: > [12 lines, 22 words, 368 characters] Top characters:_ lnshopa > > Hi all, > > Check this out: http://cvshome.org/ I think this is more routine that it makes out to be or than your terse message suggests, although still an exploitable vulnerability. Routine because cvs has not been immune over time to remotely exploitable vulnerabilities. Looking only at the 2004 Debian security archive, I found three: http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00017.html http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00085.html http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00105.html This last appears to be the same bug reported on the cvs web site in their link to CVE. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396 The post on packetstorm to which cvs links http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c seems less than professional, so my first thought was that it was not legitimate. But poking about it appears not only legit but also that the problem was fixed nine days ago. -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B A cool book of games, highly worth checking out: http://www.amazon.com/exec/obidos/ASIN/1931686963/purple-20 Attachment:
signature.asc
|
|