From owner-freebsd-bugs@FreeBSD.ORG Tue Oct 5 14:40:30 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1083F16A4CF for ; Tue, 5 Oct 2004 14:40:30 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFD3E43D48 for ; Tue, 5 Oct 2004 14:40:29 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i95EeT3w075731 for ; Tue, 5 Oct 2004 14:40:29 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i95EeTE6075730; Tue, 5 Oct 2004 14:40:29 GMT (envelope-from gnats) Date: Tue, 5 Oct 2004 14:40:29 GMT Message-Id: <200410051440.i95EeTE6075730@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kerochan2@gmail.com List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 14:40:30 -0000 The following reply was made to PR ports/72202; it has been noted by GNATS. From: To: Cc: Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed. Date: Tue, 5 Oct 2004 14:32:33 +0000 (GMT) Should this be this way?: --------------------------------------------------8<---------- dxlvi ~# date Tue Oct 5 16:04:57 CEST 2004 dxlvi ~# uname -a FreeBSD dxlvi.chello.hu 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Tue Oct 5 10:52:20 CEST 2004 root@dxlvi.chello.hu:/usr/obj/usr/src/sys/DXLVI i386 dxlvi ~# cvs --version Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server) Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn, Jeff Polk, and other authors CVS may be copied only under the terms of the GNU General Public License, a copy of which can be found with the CVS distribution kit. Specify the --help option for further information about CVS dxlvi ~# portaudit -Fa Receiving auditfile.tbz (12646 bytes): 100% 12646 bytes transferred in 0.7 seconds (17.65 kBps) New database installed. Affected package: FreeBSD-502010 Type of problem: multiple vulnerabilities in the cvs server code. Reference: Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in your installed packages found. --------------------------------------------------8<---------- From http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html: References: * CVE name CAN-2004-0414 * CVE name CAN-2004-0416 * CVE name CAN-2004-0417 * CVE name CAN-2004-0418 * CVE name CAN-2004-0778 [...] Affects: * cvs+ipv6 <1.11.17 * FreeBSD <491101 * FreeBSD >=500000 <502114 --------------------------------------------------8<---------- From ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc: Topic: CVS Category: contrib Module: cvs Announced: 2004-09-19 Credits: Stefan Esser, Sebastian Krahmer, Derek Price iDEFENSE Affects: All FreeBSD versions Corrected: 2004-06-29 16:10:50 UTC (RELENG_4) 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3) 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12) 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25) 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10) CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778 --------------------------------------------------8<---------- So, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 and CAN-2004-0778 are: * Fixed in 5.2.1-RELEASE-p10 * Reported as unfixed on an 5.2.1-RELEASE-p11 system * Reportes as fixed in "502114" (?) in the URL portaudit gives * Reported by portaudit as affecting "502010" Hope it helps...