| VID |
23127 |
| Severity |
40 |
| Port |
2401 |
| Protocol |
TCP |
| Class |
CVS |
| Detailed Description |
The CVS server, according to its version number, has a unspecified buffer overflow vulnerability. CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. CVS versions prior to 1.11.20, and prior to 1.12.12 are vulnerable to a unspecified buffer overflow vulnerability, caused by a double free() bug. A remote authenticated attacker could exploit this vulnerability to execute arbitrary code on the affected host in the context of the vulnerable process.
* Note: This check solely relied on the version number of the remote CVS server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/14976/
* Platforms Affected:
CVS (Concurrent Versions System) prior to 1.11.20
CVS (Concurrent Versions System) prior to 1.12.12
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of CVS (1.11.20 or 1.12.12 or later), available from the CVS Web site at http://ccvs.cvshome.org/servlets/ProjectDownloadList
For Gentoo Linux:
Upgrade to the latest version of CVS (1.11.18-r1 or later), as listed in Gentoo Linux Security Advisory GLSA 200504-16 at http://www.gentoo.org/security/en/glsa/glsa-200504-16.xml
For SUSE Linux:
Upgrade to the latest version of cvs, as listed in SUSE Security Announcement SUSE-SA:2005:024 at http://www.novell.com/linux/security/advisories/2005_24_cvs.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2005-0753 (CVE) |
| Related URL |
13217 (SecurityFocus) |
| Related URL |
20148 (ISS) |
|
