Yellow Dog Linux Security Announcement -------------------------------------- Package: cvs Issue Date: January 27, 2003 Priority: high Advisory ID: YDU-20030127-6 1. Topic: Updated cvs packages are available. 2. Problem: "CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server. On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server. All users of CVS are advised to upgrade to these erratum packages which contain patches to correct the double-free bug." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install cvs b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/cvs-1.11.1p1-8.7.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 9652be9c12995d3873d20b7ce24ff3d6 ppc/cvs-1.11.1p1-8.7.ppc.rpm b18b0548056f9778cbe85983fdd7fc93 SRPMS/cvs-1.11.1p1-8.7.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml