Stefan Esser of eMatters discovered a flaw in the CVS pserver which allows malicious clients to execute arbitrary code with the privileges of the CVS server. CAN-2004-0396 Affects: FC1 FC2 Was embargoed until May19 http://security.e-matters.de/advisories/072004.html
Created attachment 100329 [details] cvs-1.11.15-entry.patch --- cvs.spec 2004-04-22 19:57:50.000000000 +0200 +++ cvs.spec.rsc 2004-05-19 15:14:46.000000000 +0200 @@ -13,6 +13,7 @@ Patch3: cvs-1.11.2-abortabort.patch Patch4: cvs-1.11.1p1-bs.patch Patch5: cvs-1.11.15-extzlib2.patch +Patch6: cvs-1.11.15-entry.patch Prereq: /sbin/install-info Prefix: %{_prefix} Buildroot: %{_tmppath}/%{name}-root @@ -44,6 +45,7 @@ # Apply a patch to the generated files, OR # run autoreconf and require autoconf >= 2.58, automake >= 1.7.9 %patch5 -p1 -b .extzlib2 +%patch6 -p1 -b .entry # Move my cvs xinetd example file in the correct directory install -m 644 %{SOURCE1} $RPM_BUILD_DIR/%{name}-%{version}/
Closing and marking ERRATA, for lack of UPDATE or some other more appropriate term.
http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00013.html http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00014.html