From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 08:41:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 206F616A4CE; Tue, 13 Jan 2004 08:41:33 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB12F43D48; Tue, 13 Jan 2004 08:41:30 -0800 (PST) (envelope-from delphij@frontfree.net) Received: by ftp.bjpu.edu.cn (Postfix, from userid 426) id D56E352D4; Wed, 14 Jan 2004 00:41:27 +0800 (CST) Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 8F7295299; Wed, 14 Jan 2004 00:41:27 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 426) id 1630B118C4; Wed, 14 Jan 2004 00:41:26 +0800 (CST) Received: from phantasm205 (unknown [221.216.126.213]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id 5A2FA116AA; Wed, 14 Jan 2004 00:41:24 +0800 (CST) Message-ID: <02f201c3d9f4$15c51130$0401a8c0@phantasm205> From: "Xin LI" To: Date: Wed, 14 Jan 2004 00:41:23 +0800 Organization: Phantasm Studio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 cc: security-officer@FreeBSD.org cc: peter@FreeBSD.org Subject: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 16:41:33 -0000 Greetings, Peter and the Security Officers team, There is a minor security vulnerability in cvs prior 1.11.10, as described in CAN-2003-0977: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the follows: http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch: http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html itojun has clarified the update on this post: http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html Then I posted a request on this list, having CC'ed to peter@, so@ and re@: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html Colin Percival then replied with a patch to mitigate the problem, which should be easy to audited: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html Unfortunately, before we have taken any steps (importing a new cvs version is not so trivial and I guess that's the reason why you have not done it), cvs 1.11.11 has been released, and imported into NetBSD: http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your information, is available on BugTraq: http://www.securityfocus.com/archive/1/348448 So would you please consider a similar action to be taken place in FreeBSD? Or, are we really not affected by this? Thanks in advance! Xin LI Repo-meister, Project Coordinator and Liaison The FreeBSD Simplified Chinese Project