From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; Galeon) Gecko/20031114 Galeon/1.3.10 Description of problem: Here's the cvs-1.11.11 release announcement: ======================================================= Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers! ======================================================= This vulnerability was used to exploit the Savannah servers, according to a post about a LWN article <http://lwn.net/Articles/64835/> (currently requires a subscription). ------- The Savannah codebase and infrastructure was audited after the compromise to find potential security holes that the cracker could have used. CVS 1.12.5 and 1.11.11 were released on 2003-12-18 as a direct result of that work. Futher details on CVS will be released in the coming days. Services are being brought back up on Savannah as they are secured. For instance, under the new Savannah setup, each software project's CVS repository resides in its own chroot, and other essential system services also reside in their own chroots. The FSF and Savannah volunteers have taken this compromise very seriously, and we've taken steps to limit the damage from any future compromises. Paul Fisher Free Software Foundation ------- Can we expect an errata release soon? Version-Release number of selected component (if applicable): cvs-1.11.2-10 How reproducible: Didn't try Steps to Reproduce: Unknown, but apparently there is an exploit out in the wild somewhere. Additional info:
This is in-process for release as an erratum.
http://rhn.redhat.com/errata/RHSA-2004-003.html fixed 2004/01/12