2003-12-11 security vulnerability in cvs
Versions 1.11.9 and below of cvs contain a security
vulnerability, that may allow an atacker to create directories in the
root of the filesystem.
This problem has been fixed in
release 1.11.10
of cvs.
If you have been running cvsd in the default configuration
this exploit would not have any efect.
You are advised to upgrade cvs (remember to upgrade cvs inside the
chroot jail too with cvsd-buildroot).
The cvs NEWS file: http://ccvs.cvshome.org/...NEWS...
2003-09-28 release 1.0.0 of cvsd
Finally, version 1.0 of cvsd has been released.
The code from cvsd has been stable for quite a while with
only minor changes recently.
Also this is my first release of cvsd as an official
Debian developer.
Let the celebrations begin!
changes since 0.9.20:
switched to using rpmbuild for building rpms
French translation for debian package configuration
2003-08-17 release 0.9.20 of cvsd
changes since 0.9.19:
debian package improvements
rewrite code for storing of configuration settings
upgrade to automake 1.7
some documentation improvements
check for tmpreaper in cvsd-buildroot should work now
fix for when MaxConnections is 0
2003-06-08 release 0.9.19 of cvsd
changes since 0.9.18:
small code improvements
upgrade to autoconf (2.57) and automake (1.6.3)
fixes to libwrap code and improvements to properly detect required
libraries for libwrap from configure
debian configuration improvements (cvsd.conf is now modified
instead of replaced and support for translations has been added)
2003-04-21 release 0.9.18 of cvsd
changes since 0.9.17:
fix in cvsd-buildroot (typo) thanks to Brent Cooke
small portability fixes taken from the FreeBSD ports system
some documentation improvements
updated manual pages to represent hyphens and dashes correctly
added status option to init script
many Debian configuration improvements
2003-02-16 release 0.9.17 of cvsd
changes since 0.9.16:
cvsd-buildroot now tests if created devices are usable
libwrap improvements for RedHat 8 thanks to Dave Love
configure script improvements
upgrade to automake 1.6
fix for bug in getaddrinfo() replacement thanks to Leonid Y Lisovskiy
configure fix for SCO thanks to Leonid Y Lisovskiy
2003-01-22 security vulnerability in cvs
Versions 1.11.4 and below of cvs contain a security vulnerability, that may
allow a remote attacker to execute arbritary code, even on an anonymous read-only
pserver. This problem has been fixed in
release 1.11.5
of cvs.
If you have been running cvsd with the RootJail and Uid
options (default) this flaw is limited to damaging files inside your chroot jail
that the cvsd uid has write access to (which should be no files in a typical
installation). Using resource limits will further limit the amount of damage that
can be done using this exploit.
You are advised to upgrade cvs (remember to upgrade cvs inside the chroot jail too with
cvsd-buildroot).
The orriginal advisory: http://security.e-matters.de/advisories/012003.html
The cvs NEWS file: http://ccvs.cvshome.org/...NEWS?rev=1.112.2.1
The Common Vulnerabilities and Exposures project
has assigned the name CAN-2003-0015
to this issue.
2003-01-19 release 0.9.16 of cvsd
changes since 0.9.15:
logging may now be customized through the Log configoption
errors in configfile are reported to stderr on startup
backwards compatibility for the old Port configoption was removed
normal logging is now disabled in debugging mode (-d switch)
fixed bug that caused logging to always occur at debug level