-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
For those who don't know, cvshome.org is currently down because it was
hacked, via its CVS server we believe. cvshome.org was used to send
an email that contains an exploit for the security vulnerabiliy
CAN-2004-0396
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396>
patched in releases 1.11.16 & 1.12.8.
The email with the exploit is here:
<http://www.packetstormsecurity.org/0405-exploits/cvs_linux_freebsd_HEAP.c>.
Our working theory is that cvshome.org was abused to send the email
using a root kit installed prior to the patching of its CVS server for
CAN-2004-0396.
Note that this vulnerability requires a valid login id & password on
the CVS server to exploit, but that even an anonymous & read-only
account is sufficient. This vulnerability also applies to any CVS
server, post-authentication. A CVS server accessed via pserver, ssh,
or any other method will be equally vulnerable.
I recommend that any CVS server running a release of CVS earlier than
1.11.16 or 1.12.8 be taken down immediately and patched.
cvshome.org should be back up shortly but it may be some time before
anonymous read-only access is reenabled. Thanks go out to the folks
at CollabNet for all the time they have been spending on this.
Derek
- --
*8^)
Email: address@hidden
Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAsmRQLD1OTBfyMaQRAoFYAKDs4SpbgMnlWXE31OwLKL4JGrx0VgCgpWxA
z0Ig/Wi09ZBb6PovGxxW/ac=
=7zWD
-----END PGP SIGNATURE-----
_______________________________________________
Info-cvs mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/info-cvs