| Description: | Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.
Vulnerability Insight:
The following package is affected: cvs+ipv6
CVE-2004-0414
CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not
properly handle malformed 'Entry' lines, which prevents a NULL
terminator from being used and may lead to a denial of service
(crash), modification of critical program data, or arbitrary code
execution.
CVE-2004-0416
Double-free vulnerability for the error_prog_name string in CVS 1.12.x
through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers
to execute arbitrary code.
CVE-2004-0417
Integer overflow in the 'Max-dotdot' CVS protocol command
(serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through
1.11.16, may allow remote attackers to cause a server crash, which
could cause temporary data to remain undeleted and consume disk space.
CVE-2004-0418
serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16,
does not properly handle empty data lines, which may allow remote
attackers to perform an 'out-of-bounds' write for a single byte to
execute arbitrary code or modify critical program data.
CVE-2004-0778
CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote
attackers to determine the existence of arbitrary files and
directories via the -X command for an alternate history file, which
causes different error messages to be returned.
Solution:
Update your system with the appropriate patches or
software upgrades.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
