ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed.

kerochan2 at gmail.com kerochan2 at gmail.com
Tue Oct 5 07:40:30 PDT 2004 

The following reply was made to PR ports/72202; it has been noted by GNATS.

From: <kerochan2 at gmail.com>
To: <freebsd-gnats-submit at FreeBSD.org>
Cc:  
Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed.
Date: Tue,  5 Oct 2004 14:32:33 +0000 (GMT)

 Should this be this way?:
 
 --------------------------------------------------8<----------
 
 dxlvi ~# date
 Tue Oct  5 16:04:57 CEST 2004
 dxlvi ~# uname -a
 FreeBSD dxlvi.chello.hu 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Tue Oct  5 10:52:20 CEST 2004     root at dxlvi.chello.hu:/usr/obj/usr/src/sys/DXLVI  i386
 dxlvi ~# cvs --version
 
 Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server)
 
 Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn,
                         Jeff Polk, and other authors
 
 CVS may be copied only under the terms of the GNU General Public License,
 a copy of which can be found with the CVS distribution kit.
 
 Specify the --help option for further information about CVS
 dxlvi ~# portaudit -Fa
 Receiving auditfile.tbz (12646 bytes): 100%
 12646 bytes transferred in 0.7 seconds (17.65 kBps)
 New database installed.
 Affected package: FreeBSD-502010
 Type of problem: multiple vulnerabilities in the cvs server code.
 Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html>
 Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf
 
 0 problem(s) in your installed packages found.
 
 --------------------------------------------------8<----------
 
 From http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html:
 
 References:
 
      * CVE name CAN-2004-0414
      * CVE name CAN-2004-0416
      * CVE name CAN-2004-0417
      * CVE name CAN-2004-0418
      * CVE name CAN-2004-0778
 [...]
 Affects:
 
      * cvs+ipv6 <1.11.17
      * FreeBSD <491101
      * FreeBSD >=500000 <502114
 
 --------------------------------------------------8<----------
 
 From ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc:
 
 Topic:          CVS
 
 Category:       contrib
 Module:         cvs
 Announced:      2004-09-19
 Credits:        Stefan Esser, Sebastian Krahmer, Derek Price
                 iDEFENSE
 Affects:        All FreeBSD versions
 Corrected:      2004-06-29 16:10:50 UTC (RELENG_4)
                 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
                 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
                 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
                 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
 CVE Name:       CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
                 CAN-2004-0778
 
 --------------------------------------------------8<----------
 
 So, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 and CAN-2004-0778 are:
  * Fixed in 5.2.1-RELEASE-p10
  * Reported as unfixed on an 5.2.1-RELEASE-p11 system
  * Reportes as fixed in "502114" (?) in the URL portaudit gives
  * Reported by portaudit as affecting "502010"
 
 Hope it helps...
 <kerochan2 at gmail.com>

More information about the freebsd-bugs mailing list