Date: Tue, 5 Oct 2004 14:40:29 GMT From: <kerochan2@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed. Message-ID: <200410051440.i95EeTE6075730@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/72202; it has been noted by GNATS.
From: <kerochan2@gmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:
Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed.
Date: Tue, 5 Oct 2004 14:32:33 +0000 (GMT)
Should this be this way?:
--------------------------------------------------8<----------
dxlvi ~# date
Tue Oct 5 16:04:57 CEST 2004
dxlvi ~# uname -a
FreeBSD dxlvi.chello.hu 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Tue Oct 5 10:52:20 CEST 2004 root@dxlvi.chello.hu:/usr/obj/usr/src/sys/DXLVI i386
dxlvi ~# cvs --version
Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server)
Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn,
Jeff Polk, and other authors
CVS may be copied only under the terms of the GNU General Public License,
a copy of which can be found with the CVS distribution kit.
Specify the --help option for further information about CVS
dxlvi ~# portaudit -Fa
Receiving auditfile.tbz (12646 bytes): 100%
12646 bytes transferred in 0.7 seconds (17.65 kBps)
New database installed.
Affected package: FreeBSD-502010
Type of problem: multiple vulnerabilities in the cvs server code.
Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html>;
Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf
0 problem(s) in your installed packages found.
--------------------------------------------------8<----------
From http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html:
References:
* CVE name CAN-2004-0414
* CVE name CAN-2004-0416
* CVE name CAN-2004-0417
* CVE name CAN-2004-0418
* CVE name CAN-2004-0778
[...]
Affects:
* cvs+ipv6 <1.11.17
* FreeBSD <491101
* FreeBSD >=500000 <502114
--------------------------------------------------8<----------
From ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc:
Topic: CVS
Category: contrib
Module: cvs
Announced: 2004-09-19
Credits: Stefan Esser, Sebastian Krahmer, Derek Price
iDEFENSE
Affects: All FreeBSD versions
Corrected: 2004-06-29 16:10:50 UTC (RELENG_4)
2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
CAN-2004-0778
--------------------------------------------------8<----------
So, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 and CAN-2004-0778 are:
* Fixed in 5.2.1-RELEASE-p10
* Reported as unfixed on an 5.2.1-RELEASE-p11 system
* Reportes as fixed in "502114" (?) in the URL portaudit gives
* Reported by portaudit as affecting "502010"
Hope it helps...
<kerochan2@gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410051440.i95EeTE6075730>