Test ID:	1.3.6.1.4.1.25623.1.0.50366
Category:	Fedora Local Security Checks
Title:	Fedora Core 2 FEDORA-2004-131 (cvs)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to cvs announced via advisory FEDORA-2004-131. Stefan Esser discovered a flaw in cvs where malformed 'Entry' lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0396 to this issue. This update includes a patch by Derek Price, based on a patch by Stefan Esser, which corrects this flaw. This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ e4e908430953b43fcd8543b4cf3ba123 SRPMS/cvs-1.11.15-6.src.rpm a05f5a97fa3e6b9a51eba6f418b51092 i386/cvs-1.11.15-6.i386.rpm 8484fea6acfc241e351a16ad9199db47 i386/debug/cvs-debuginfo-1.11.15-6.i386.rpm 727d6b8fa0bd49ef2c9bbe4cf3205250 x86_64/cvs-1.11.15-6.x86_64.rpm b7ad37eee7739318c78985d2b598f878 x86_64/debug/cvs-debuginfo-1.11.15-6.x86_64.rpm This update can also be installed with the Update Agent you can launch the Update Agent with the 'up2date' command. Solution: Apply the appropriate updates. http://www.fedoranews.org/updates/FEDORA-2004-131.shtml Risk factor : High CVSS Score: 7.5
Cross-Ref:	BugTraq ID: 10384 Common Vulnerability Exposure (CVE) ID: CVE-2004-0396 http://www.securityfocus.com/bid/10384 Bugtraq: 20040519 Advisory 07/2004: CVS remote vulnerability (Google Search) http://cert.uni-stuttgart.de/archive/bugtraq/2004/05/msg00219.html http://marc.info/?l=bugtraq&m=108498454829020&w=2 Bugtraq: 20040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) (Google Search) http://marc.info/?l=bugtraq&m=108500040719512&w=2 Cert/CC Advisory: TA04-147A http://www.us-cert.gov/cas/techalerts/TA04-147A.html CERT/CC vulnerability note: VU#192038 http://www.kb.cert.org/vuls/id/192038 Computer Incident Advisory Center Bulletin: O-147 http://www.ciac.org/ciac/bulletins/o-147.shtml Debian Security Information: DSA-505 (Google Search) http://www.debian.org/security/2004/dsa-505 http://marc.info/?l=bugtraq&m=108636445031613&w=2 FreeBSD Security Advisory: FreeBSD-SA-04:10 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0980.html http://security.gentoo.org/glsa/glsa-200405-12.xml http://www.mandriva.com/security/advisories?name=MDKSA-2004:048 http://security.e-matters.de/advisories/072004.html NETBSD Security Advisory: NetBSD-SA2004-008 ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-008.txt.asc OpenBSD Security Advisory: 20040520 cvs server buffer overflow vulnerability http://marc.info/?l=openbsd-security-announce&m=108508894405639&w=2 http://www.osvdb.org/6305 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9058 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A970 http://www.redhat.com/support/errata/RHSA-2004-190.html http://secunia.com/advisories/11641 http://secunia.com/advisories/11647 http://secunia.com/advisories/11651 http://secunia.com/advisories/11652 http://secunia.com/advisories/11674 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.395865 SuSE Security Announcement: SuSE-SA:2004:013 (Google Search) http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021742.html XForce ISS Database: cvs-entry-line-bo(16193) https://exchange.xforce.ibmcloud.com/vulnerabilities/16193
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.