Bug 152715

Summary: CVS security patches (CAN-2004-0180, CAN-2002-0844)
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:24:59 UTC 
I built 2 source RPMs for the actual security issues in the package CVS 
(CAN-2004-0180, CAN-2002-0844), the patches are taken from RHEL.

Fixed in all RHELs and RH9:
https://rhn.redhat.com/errata/RHSA-2004-154.html
https://rhn.redhat.com/errata/RHSA-2004-153.html

Changelog in the RPM for Red Hat Linux 7.2 and 7.3:
- added 2 fixes from Derek Robert Price for client-trusts-server
  vulnerability in handling of filename paths (CAN-2004-0180)
- added patch for disallowing "CVS" as name of files or directories being
  imported, 1.11.2-to-1.11.14 maintain patch
- included fix for CAN-2002-0844, an off-by-one in sscanf call

http://labs.linuxnetz.de/~fedoralegacy/redhat-7.2/cvs-1.11.1p1-10.7.legacy.src.rpm
http://labs.linuxnetz.de/~fedoralegacy/redhat-7.2/cvs-1.11.1p1-10.7.legacy.src.rpm.asc


Changelog in the RPM for Red Hat Linux 8.0:
- added 2 fixes from Derek Robert Price for client-trusts-server
  vulnerability in handling of filename paths (CAN-2004-0180)
- added patch for disallowing "CVS" as name of files or directories being
  imported, 1.11.2-to-1.11.14 maintain patch

http://labs.linuxnetz.de/~fedoralegacy/redhat-8.0/cvs-1.11.2-10.legacy.src.rpm
http://labs.linuxnetz.de/~fedoralegacy/redhat-8.0/cvs-1.11.2-10.legacy.src.rpm.asc

Please test the RPMs... :)



------- Additional Comments From jkeating 2004-05-10 08:16:02 ----



*** This bug has been marked as a duplicate of 1485 ***



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1584 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1584
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-bugzilla.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.