From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 2 04:30:26 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B34F16A4CE for ; Mon, 2 Feb 2004 04:30:26 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E20343D41 for ; Mon, 2 Feb 2004 04:30:21 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i12CULFR046647 for ; Mon, 2 Feb 2004 04:30:21 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i12CULC0046645; Mon, 2 Feb 2004 04:30:21 -0800 (PST) (envelope-from gnats) Resent-Date: Mon, 2 Feb 2004 04:30:21 -0800 (PST) Resent-Message-Id: <200402021230.i12CULC0046645@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jacques Marneweck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2224A16A4CE for ; Mon, 2 Feb 2004 04:26:24 -0800 (PST) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4544743D2D for ; Mon, 2 Feb 2004 04:26:23 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i12CQMdL030252 for ; Mon, 2 Feb 2004 04:26:22 -0800 (PST) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.10/8.12.10/Submit) id i12CQMfs030251; Mon, 2 Feb 2004 04:26:22 -0800 (PST) (envelope-from nobody) Message-Id: <200402021226.i12CQMfs030251@www.freebsd.org> Date: Mon, 2 Feb 2004 04:26:22 -0800 (PST) From: Jacques Marneweck To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.0 Subject: bin/62255: 2003-12-18: Stable CVS Version 1.11.11 Released! (security update) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 12:30:26 -0000 >Number: 62255 >Category: bin >Synopsis: 2003-12-18: Stable CVS Version 1.11.11 Released! (security update) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 02 04:30:20 PST 2004 >Closed-Date: >Last-Modified: >Originator: Jacques Marneweck >Release: 4.9-STABLE >Organization: Ataris Technologies >Environment: FreeBSD XXXXX.YYYYYYY.co.za 4.9-STABLE FreeBSD 4.9-STABLE #1: Mon Feb 2 01:26:27 SAST 2004 ZZZZZ@XXXXX.YYYYY.co.za:/usr/obj/usr/src/sys/XXXXXX i386 >Description: Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers! Take a look at the NEWS file from the source distribution or go directly to the downloads page. >How-To-Repeat: >Fix: Update the version of cvs in /usr/src/contrib/cvs >Release-Note: >Audit-Trail: >Unformatted: