RHSA-2004:153-01 details new set of issues with cvs. cvs-1.11.1p1-12.src.rpm recompiles without any changes or fuss at least on 7.x installations. Spec file from these sources can be "recycled" after modifications to release. For RH8 cvs-1.11.2-18.src.rpm mentioned in the same advisory likely can be used but this needs to be checked. ------- Additional Comments From dwb7.edu 2004-04-30 06:49:09 ---- A warning on building the rpm: if you happen to have a /usr/local/bin/perl that is say, a symlink, to /usr/bin/perl (as we do on our 7.3 boxes) and /usr/local/bin is in your path before /usr/bin, the rpm will build fine. But, it won't install: /usr/local/bin/perl is needed by cvs-1.11.1p1-12.legacy Solution: make sure /usr/bin is in path before /usr/local/bin ------- Additional Comments From dwb7.edu 2004-05-03 12:02:11 ---- Available for QA: cvs for rh7.3 http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/cvs My public key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBECWtgQRBACJ8Y+PpLpzgyErXsfyBM+Uxo62IBH5KMT1ipYFl+1miEFU2QGM ECapKO2UykQQCk3DDGLj3tUr8HpxK4uicM6VcbLv073PG4ib5vTUp4GfrxYAhjlb NZWvcCW7k3dpgXxXks98VebTkuItrRnWosZ3xJWpxk74zUpCI4AG/9qQ7wCg6CMk 8xpvgyg620roAOY0Uur/SOsD/27k3VKSD4gQUV/HygXBwAb7sJN7kzsHPvR5ORcM sUM+ilaDqBSaxxqmZ8N2B0DbIF7XXpb6C6o+Bxk+D/z0cF6dZ2lDPC7qb6/Ke+Zq XDvbrn1VjK5bixQsZKg/cbtNOdX6vrpbuPq+O5SaNm8/szW3GY45Gq3nJXwrydIV ftdfA/469xZ9JDxlrEmFJBb7By8bcXLEeUXfvunY7VFwywbiIlp4b0dFkZrFaTMB pWBTs+kHWO0e3VapCHH6afVxaYnLCvGlIkGDCuXL8PKh7sfeCDf0vRrN/sjxZbS9 WfwVgDZdePRv+ktliCdBa6lYO1PZdMDeUCOvh5NIWYIbvdaQ1bQtRGF2aWQgQm90 c2NoIChDQ01SQ0YpIDxkd2I3QGNjbXIuY29ybmVsbC5lZHU+iFkEExECABkFAkCW tgQECwcDAgMVAgMDFgIBAh4BAheAAAoJEEmO7O7j3/yFcWkAoLP+sCJ4vOOmq6VS By/f9mc2hVoGAJ40JNnkh9nk4KKH2DePgrrxrLsvi7kCDQRAlrYOEAgAnePsdzXu TlYnNCC3bRhk3uc1sSkSpd3IC/eNqTlsNaUo6pON1xCL7wgLXIp9lyUYUt1V+VGF Aj3m+aAfMynbbWqZxkbKDKZXAsDj6lp8WUszNtrZmKzpL8XWZef5SMGtUbCpK/+w Rx6XaUz8ltz7vVB95IixseYoEnF1qkyGog6mLFvYAHBXIzazIKu06GeMk+TdAoo5 rVuXZ/uGMS0v0AG3+8RkPUJr8+eBnF6SsVyMAufkoulpDKxVGMI/nMPBOVNIFt8+ AsEajxj/7ZfAwShkXbR//dRbi8cwB71WZx6g1Zcw/FzlFaJr6/pDeKIk2Svktbki 0+YugLbSIO2V4wADBQf9HHeGImUDPwOWIGV8wmLWEBvAFsEAtmrMl/4ZU3ym8OmL cp/hs0kGe/mSzRq0x7mmUbvGB+AkiEANGzI3eTgWx8aNF2UlDTNX4xMbTHMyFLvJ Re0Up9lK8wXOh6oN3rZTEzUyTVQFuO5uFEeMe35ggVS8Yb/Rc8IF2gwNHAqlb/wt fChY/LcTWZJMupxemmujGU24IfwdTVG1LyOSAbiRKN8DatBUiXPJessT1JGpuKRQ Tu/96XuHouyXo0DeImQgsa/3rcORmlcfD5KIOm4H+/3YkFeh2njZJWylU5jxv95O IgF/uUiLs1ZbLuOofDe/Cf+943md+oz/URBG8srh64hGBBgRAgAGBQJAlrYOAAoJ EEmO7O7j3/yFEqcAnRYd/3fyeeLQUjvDmtZ3ArHw5x+DAJ49URz6kY27H61QKn69 AMpXD/nuNg== =3hjw -----END PGP PUBLIC KEY BLOCK----- ------- Additional Comments From dwb7.edu 2004-05-04 06:20:27 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 md5sums of the packages: 1e356a75538e20e9ecdd2e8eaf9143f8 cvs-1.11.1p1-12.legacy.i386.rpm 861282eacd1b162fc65246b1bdf50a3e cvs-1.11.1p1-12.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAl8K2SY7s7uPf/IURAvKgAKDCbS+OSyBTHzEdtYojMh1gTIFEiACdGdDz sWfAsO14VCrmdBMYPvE9hbI= =mPj8 -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-05-04 07:04:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sha1sums: sha1sum -b cvs* ba9d377026e87b324ec5ff397f87ff3989ab1f6e *cvs-1.11.1p1-12.legacy.i386.rpm 648f2cd648ccd944c11d99696e03d95db6ee5a46 *cvs-1.11.1p1-12.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAl8yLSY7s7uPf/IURAqLFAJ0YIWVPMiBjUNuR29aK3z2TqnK7NQCdGUgM AJTU6InpHXkDbFcATr+pz2M= =SSWo -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-05-10 08:14:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 These RPMS are built from the AS2.1 rpms, referenced in: https://rhn.redhat.com/errata/RHSA-2004-153.html (fix CAN-2004-0180 and CAN-2004-0405) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAn8aBSY7s7uPf/IURArcVAJ4v6WS3Xrx+Xli3cLt3YKU+c8nHEwCgl9tG 3upQ44Ej3x1CBh4ZcLduEss= =UjZM -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-05-10 08:16:03 ---- *** Bug 1584 has been marked as a duplicate of this bug. *** ------- Additional Comments From dwb7.edu 2004-05-10 08:49:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- cvs.spec-7.3legacy Mon May 10 14:42:31 2004 +++ cvs.spec-as Mon May 10 14:41:19 2004 @@ -3,7 +3,7 @@ Summary: A version control system. Name: cvs Version: %{cvsbase}%{cvspatch} - -Release: 9.7.legacy +Release: 12 License: GPL Group: Development/Tools Source: ftp://ftp.cvshome.org/pub/cvs-%{cvsbase}/cvs-%{version}.tar.gz @@ -18,9 +18,12 @@ Patch7: cvs-1.11.1p1-timestamp.patch Patch8: cvs-1.11.1p1-extzlib.patch Patch9: cvs-e-matters.patch - -Patch10: cvs-1.11.10-1.11.11.patch - -Patch11: cvs-1.11.9-absolute-modules.patch - - +Patch10: cvs-1.11.9-absolute-modules.patch +Patch11: cvs-1.11.1p1-sscanf.patch +Patch12: cvs-1.11.10-1.11.11.patch +Patch13: cvs-1.11.2-1.11.14-noCVS.patch +Patch14: 03cvs-client-exploit-fix-1.11.2.diff +Patch15: cvs-cat-etc-fix-1.11.2.diff Prereq: /sbin/install-info Prefix: %{_prefix} Buildroot: %{_tmppath}/%{name}-root @@ -54,8 +57,12 @@ %patch7 -p0 -b .timestamp %patch8 -p1 -b .extzlib %patch9 -p1 -b .e-matters - -%patch10 -p1 -b .10-and-11-security - -%patch11 -p0 -b .absolute-modules +%patch10 -p0 -b .absolute-modules +%patch11 -p1 -b .sscanf +%patch12 -p1 -b .1.11.10-1.11.11 +%patch13 -p1 -b .noCVS +%patch14 -p0 -b .client-exploit +%patch15 -p0 -b .cat-etc-fix %build %{!?nokerberos: CPPFLAGS="-I/usr/kerberos/include"; export CPPFLAGS} @@ -100,18 +107,22 @@ %{_datadir}/%{name} %changelog - -* Mon Jan 12 2004 Jason Rohwedder <rohwedde> 1.11.1p1-9.7.legacy - -- applied cvs-1.11.9-absolute-modules.patch - -- to make Seth's previous changelog true :) - -- He actually patched - -- http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88 - - - -* Mon Jan 12 2004 Seth Vidal <skvidal.edu> - -- apply security patch for CAN-2003-0977 - - - -* Tue Dec 30 2003 Seth Vidal <skvidal.edu> 1.11.1p1-8.7.duke.1 - -- apply security patch for: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 - -- second patch to make the above build +* Mon Apr 5 2004 Nalin Dahyabhai <nalin> 1.11.1p1-12 +- add further fix from Derek Robert Price for client-trusts-server + vulnerability in handling of filename paths (CAN-2004-0180) + +* Fri Mar 19 2004 Nalin Dahyabhai <nalin> 1.11.1p1-11 +- add fix from Derek Robert Price for client-trusts-server vulnerability in + handling of filename paths (CAN-2004-0180) + +* Thu Dec 18 2003 Nalin Dahyabhai <nalin> 1.11.1p1-10 +- rebuild + +* Thu Dec 18 2003 Nalin Dahyabhai <nalin> 1.11.1p1-9 +- extract fix for CAN-2003-0977 from 1.11.9-to-1.11.10 changes: absolute + module names can make a server attempt to create a directory using the + client's privileges +- include fix for CAN-2002-0844, an off-by-one in sscanf call * Thu Jan 16 2003 Nalin Dahyabhai <nalin> 1.11.1p1-8.7 - incorporate fix for double-free in server (CAN-2003-0015) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAn86PSY7s7uPf/IURArOuAJ4kBG4pfTQhwC0LqCafp9+qd+ODzQCdG443 rb7/0vhpnMAJQ6EObik5eNg= =+UL1 -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-05-18 18:41:54 ---- I've seen no QA yet. These really need to get QA before I push them to updates-testing... There also needs to be 7.2/8.0 packages... ------- Additional Comments From dom 2004-05-19 07:22:02 ---- Last 7.2 update was an identical version and so the same update will apply. RH 8 (and 9 surely?) will need a slightly different version. ------- Additional Comments From dwb7.edu 2004-05-19 17:21:55 ---- bug #1620 now resolves this in addition to the new cvs issues. ------- Additional Comments From jkeating 2004-05-31 08:45:00 ---- *** This bug has been marked as a duplicate of 1620 *** ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1485 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1485 Originally filed under the Fedora Legacy product and General component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.