aru Posted June 9, 2004 Report Share Posted June 9, 2004 Mandrakesoft Security Advisories MDKSA-2004:058 : cvs Updated cvs packages fix multiple vulnerabilities June 9th, 2004 Another vulnerability was discovered related to "Entry" lines in cvs, by the development team (CAN-2004-0414). As well, Stefan Esser and Sebastian Krahmer performed an audit on the cvs source code and discovered a number of other problems, including: A double-free condition in the server code is exploitable (CAN-2004-0416). By sending a large number of arguments to the CVS server, it is possible to cause it to allocate a huge amount of memory which does not fit into the address space, causing an error (CAN-2004-0417). It was found that the serve_notify() function would write data out of bounds (CAN-2004-0418). The provided packages update cvs to 1.11.16 and include patches to correct all of these problems. The released versions of Mandrake GNU/Linux affected are: 9.1 9.2 10.0 CS2.1 Full information about this advisory, including the updated packages, is available at: www.mandrakesoft.com/security/advisories?name=MDKSA-2004:058 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2004-0414 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2004-0416 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2004-0417 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2004-0418 Posted automatically by aru (mdksec2mub v0.0.9) Link to comment Share on other sites More sharing options...
Recommended Posts