Debian Security Advisory

cvsweb -- unauthorized remote code execution

Date Reported:
16 Jul 2000
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2000-0670.
More information:
The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user.

The vulnerability is fixed in version 109 of cvsweb for the current stable release (Debian GNU/Linux 2.1), in version 1.79-3potato1 for the frozen distribution, and in version 1.86-1 for the unstable distribution.

Fixed in:

Debian GNU/Linux 2.1 (slink):

Architecture-independent component:

Debian GNU/Linux 2.2 (potato):

Architecture-independent component: