Debian Security Advisory
DSA-117-1 cvs -- improper variable initialization
- Date Reported:
- 05 Mar 2002
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2002-0092.
- More information:
Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, though.
This problem has been fixed in version 1.10.7-9 for the stable Debian distribution with help of Niels Heinen and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian (not yet uploaded, though).
We recommend that you upgrade your CVS package.
- Fixed in:
Debian GNU/Linux 2.2 (potato)
- Architecture-independent component:
- Intel ia32:
- Motorola 680x0:
- Sun Sparc:
MD5 checksums of the listed files are available in the original advisory.