Debian Security Advisory
cvsweb -- unauthorized remote code execution
- Date Reported:
- 16 Jul 2000
- Affected Packages:
- cvsweb
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0670.
- More information:
- The versions of cvsweb distributed in Debian GNU/Linux 2.1
(aka slink) as well as in the frozen (potato) and unstable (woody)
distributions, are vulnerable to a remote shell exploit. An attacker with write
access to the cvs repository can execute arbitrary code on the server, as the
www-data user.
The vulnerability is fixed in version 109 of cvsweb for the current stable release (Debian GNU/Linux 2.1), in version 1.79-3potato1 for the frozen distribution, and in version 1.86-1 for the unstable distribution.
- Fixed in:
-
Debian GNU/Linux 2.1 (slink):
- Source:
- http://security.debian.org/dists/slink/updates/source/cvsweb_109.dsc
- http://security.debian.org/dists/slink/updates/source/cvsweb_109.tar.gz
- Architecture-independent component:
- http://security.debian.org/dists/slink/updates/binary-all/cvsweb_109_all.deb
Debian GNU/Linux 2.2 (potato):
- Source:
- http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.diff.gz
- http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc
- http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79.orig.tar.gz
- http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc
- Architecture-independent component:
- http://http.us.debian.org/debian/dists/potato/main/binary-all/devel/cvsweb_1.79-3potato1.deb