2004-12-12 release 1.0.4 of cvsd
This is a minor maintenanance update for the 1.0 release.
changes since 1.0.3:
fix small bug in cvsd-buginfo
added Japanese debconf translation by Hideki Yamane
small Debian package improvements
upgrade to automake 1.9
Upgrade note: for newer versions of cvs you may need to create an
Emptydir directory in every CVSROOT directory
(see the faq).
2004-08-07 release 1.0.3 of cvsd
This is a maintenanance update for the 1.0 release.
changes since 1.0.2:
documentation improvements and fixes
made scripts more portable
added cvsd-buginfo script for gathering information for bugreports and
added reportbug hooks in the debian package
added experimental capabilities support (disabled by default) based on a
patch by Shugo Maeda
2004-06-09 another cvs security update
Several new
security problems
have been found in cvs during an audit of the cvs source code.
Some of the bugs are thought to be exploitable and could result
in running arbitraty code on the server.
The CVE project has assigned id's
CAN-2004-0414,
CAN-2004-0416,
CAN-2004-0417 and
CAN-2004-0418
to these problems.
These problems have been fixed in version
1.11.17
for the stable release and
1.12.9
for the feature release of cvs.
If you have been running cvsd in the default configuration these
exploits are limited to running code as an unprivileged user inside a chroot
jail and possibly damaging files inside the jail.
You are advised to upgrade cvs (remember to also upgrade cvs inside the
chroot jail with cvsd-buildroot).
2004-05-20 heap overflow in cvs
Stefan Esser
discovered
an exploitable heap overflow that allows for remote execution of arbitrary
code in a cvs pserver.
The CVE project assigned the id
CAN-2004-0396
to the problem.
This problem has been fixed in version
1.11.16
for the stable release and
1.12.8
for the feature release.
If you have been running cvsd in the default configuration this
exploit is limited to running code as an unprivileged user inside a chroot
jail and possibly damaging files inside the jail.
You are advised to upgrade cvs (remember to also upgrade cvs inside the
chroot jail with cvsd-buildroot).
Update: an exploit is available.
2004-04-17 release 1.0.2 of cvsd
This is maintenanance upgrade for the 1.0 release.
changes since 1.0.1:
Danish translation for debian package configuration by Claus Hindsgaul,
also translation updates for German by Jens Seidel and French by Christian
Perrier, plus some more small configuration improvements
have cvsd-buildroot also create /libexec in the chroot jail if it is
present on the system (fix for FreeBSD 5.2.1)
init script now use kill -0 <pid> to check if cvsd is running (not the
nicest solution, but it seems to be the most portable solution)
2004-02-22 release 1.0.1 of cvsd
This is the first update to the 1.0 release of cvsd.
This is mainly a bugfix release.
changes since 1.0.0:
move logging of exiting child processes and exit signals out of
signal handlers to avoid deadlock race condition in signal-unsafe
functions, thanks to Dan Nuffere for spotting this
updated German translation from ddtp for debian package
configuration
upgrade to autoconf 2.59
some redhat packaging improvements
2004-01-09 security update for cvs Release 1.11.11
of cvs prevents the cvs pserver from running as root after a user
has logged in. This prevents running the cvs operations as root.
If you have configured cvsd to run as the cvsd user (default
configuration) cvs would not be running as root in the first
place. This update is advised when you have configured cvsd
to run as root (don't forget to run cvsd-buildroot).