multiple vulnerabilities in the cvs server code
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Tue Sep 14 06:37:24 PDT 2004
Hello!
On Tue, 14 Sep 2004, Volker Stolz wrote:
>> Type of problem: multiple vulnerabilities in the cvs server code.
>> 1) What are current plans to fix these vulnerabilities?
>
> The related security advisory [SA] was already published in May:
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc
> (SAs are available from the project's front page).
As I read in this SA, this vulnerability was fixed on 2004-05-20, before
4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit
still complains about FreeBSD-491000. Probably, wrong check in auditfile?
Also, it would be nice if such an advisories advance kern.osreldate,
so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11,
which isn't vulnerable to this problem, but kern.osreldate is still 490000
there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't bump
src/sys/sys/param.h?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-security
mailing list