Originally Published: Sunday, 16 July 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

Debian Security Advisory - cvsweb

The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user.

   Page 1 of 1  

Date: Sun, 16 Jul 2000 02:40:24 -0400 From: Wichert Akkerman To: debian-security-announce@lists.debian.org Subject: [SECURITY] New version of cvsweb released

- ------------------------------------------------------------------------ Debian Security Advisory security@debian.org http://www.debian.org/security/ Wichert Akkerman July 16, 2000 - ------------------------------------------------------------------------

Package: cvsweb Vulnerability type: remote shell Debian-specific: no

The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user.

The vulnerability is fixed in version 109 of cvsweb for the current stable release (Debian 2.1), in version 1.79-3potato1 for the frozen distribution, and in version 1.86-1 for the unstable distribution.

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

Debian GNU/Linux 2.1 alias slink - ------------------------------------

Source archives: http://security.debian.org/dists/stable/updates/source/cvsweb_109.dsc MD5 checksum: b1810728310882fb72078674521ee369 http://security.debian.org/dists/stable/updates/source/cvsweb_109.tar.gz MD5 checksum: 4c42ec3ba7248fc2499cdfaa6ae6b702

Architecture indendent archives: http://security.debian.org/dists/stable/updates/binary-all/cvsweb_109_all.deb MD5 checksum: fe9144254ab224923ac627aef7ec2167

Debian GNU/Linux 2.2 alias potato - -------------------------------------

Please note that potato has not been released yet.

Source archives: http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.diff.gz MD5 checksum: 9dcb469f5da602cd53e41258febba244 http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc MD5 checksum: b4aceba93a6721486f8ca42f230c7271 http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79.orig.tar.gz MD5 checksum: c755a4c75d4c8844274458ae5953823b

Binary package for all architectures: http://http.us.debian.org/debian/dists/potato/main/binary-all/devel/cvsweb_1.79-3potato1.deb MD5 checksum: 1b89d61312925ee7934108c4f638d912

Debian GNU/Linux unstable alias woody - -------------------------------------

Please note that woody has not been released yet.

Source archives: http://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.diff.gz MD5 checksum: e3fc2117d689746eaa2cf4c8a701aa4e http://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86-1.dsc MD5 checksum: 0b2b9bf0b1fe39552da03698ba37bc36 http://http.us.debian.org/debian/dists/woody/main/source/devel/cvsweb_1.86.orig.tar.gz MD5 checksum: ea93ed274ec6fbd49cec57c759747cb7

Binary package for all architectures: http://http.us.debian.org/debian/dists/woody/main/binary-all/devel/cvsweb_1.86-1.deb MD5 checksum: a99c605e0d77f1c56a82c95a3dc6d83f

- -- - ---------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable updates For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates Mailing list: debian-security-announce@lists.debian.org





   Page 1 of 1