| VID |
23051 |
| Severity |
30 |
| Port |
2401 |
| Protocol |
TCP |
| Class |
CVS |
| Detailed Description |
The CVS server, according to its version number, has a file manipulation vulnerability. CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. CVS versions 1.11.9 and earlier could allow a remote attacker to create directories and files on the affected system. By sending a malformed module request, a remote attacker could create directories and files at the root of the filesystem holding the CVS repository.
* Note: This check solely relied on the version number of the remote CVS server to assess this vulnerability, so this might be a false positive.
* References:
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1
* Platforms Affected:
CVS (Concurrent Versions System) 1.11.9 and earlier
Linux Any version
UNIX Any version |
| Recommendation |
Upgrade to the latest version of CVS (1.11.10 or later), available from the Concurrent Versions System Web site at http://ccvs.cvshome.org/servlets/ProjectDownloadList
For Slackware Linux:
Upgrade to the latest cvs package, as listed in slackware-security Mailing List, Thu, 11 Dec 2003 at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.402538
For Mandrake Linux:
Upgrade to the latest cvs package, as listed in MandrakeSoft Security Advisory MDKSA-2003:112-1 at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:112-1
For Gentoo Linux:
Upgrade to the latest version of cvs (1.11.10 or later), as listed in Gentoo Linux Security Announcement 200312-04 at http://www.linuxsecurity.com/advisories/gentoo_advisory-3859.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0977 (CVE) |
| Related URL |
9178 (SecurityFocus) |
| Related URL |
13929 (ISS) |
|
