cvs security update (SSA:2004-108-02)
Posted on: 04/19/2004 08:25 AM

A cvs security update has been released for Slackware Linux

CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS.

A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15.

Any sites running CVS should upgrade to the new CVS package.

Here are the details from the Slackware 9.1 ChangeLog:
Sat Apr 17 14:09:23 PDT 2004
patches/packages/cvs-1.11.15-i486-1.tgz: Upgraded to cvs-1.11.15.
Fixes two security problems (server creating arbitrary files on a client machine, and client viewing files outside of the CVS repository).
For more details, see:
(* Security fix *)


Updated package for Slackware 8.1:

Updated package for Slackware 9.0:

Updated package for Slackware 9.1:

Updated package for Slackware -current:


Slackware 8.1 package:
e8ba67add4c86d0bd8b7dc1ce265752a cvs-1.11.15-i386-1.tgz

Slackware 9.0 package:
177b19dd98655f6811053f29286e4ab7 cvs-1.11.15-i386-1.tgz

Slackware 9.1 package:
80a99f7f4e2606d6c45ad60614cef81b cvs-1.11.15-i486-1.tgz

Slackware -current package:
6e6cbad9deab1a53c1543c72d0acad1c cvs-1.11.15-i486-1.tgz


First, shut down the cvs server if you are running one.

Then, upgrade the package:
# upgradepkg cvs-1.11.10-i486-1.tgz

Finally, restart the CVS server.


Slackware Linux Security Team

Printed from Linux Compatible (