Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.52888
Category:Turbolinux Local Security Tests
Title:Turbolinux TLSA-2004-15 (cvs)
Summary:NOSUMMARY
Description:Description:

The remote host is missing an update to cvs
announced via advisory TLSA-2004-15.

CVS is a front end to the rcs(1) revision control system which extends
the notion of revision control from a collection of files in a single
directory to a hierarchical collection of directories consisting of
revision controlled files.

- The client for CVS allows a remote malicious CVS server to create arbitrary files using
certain RCS diff files that use absolute pathnames during checkouts or updates.

- CVS contains a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached.
This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server.

This vulnerability may allow attackers to cause the CVS server to create directories or
files in your system.
An attacker that has access to a CVS server could use this flaw to execute arbitrary code
under the UID which the CVS server is executing.

Solution: Please use the turbopkg (zabom) tool to apply the update.
http://www.securityspace.com/smysecure/catid.html?in=TLSA-2004-15

Risk factor : High

CVSS Score:
7.5

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2004-0180
Debian Security Information: DSA-486 (Google Search)
http://www.debian.org/security/2004/dsa-486
http://marc.info/?l=bugtraq&m=108636445031613&w=2
FreeBSD Security Advisory: FreeBSD-SA-04:10
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc
http://security.gentoo.org/glsa/glsa-200404-13.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2004:028
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1042
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9462
http://www.redhat.com/support/errata/RHSA-2004-153.html
http://www.redhat.com/support/errata/RHSA-2004-154.html
http://secunia.com/advisories/11368
http://secunia.com/advisories/11371
http://secunia.com/advisories/11374
http://secunia.com/advisories/11375
http://secunia.com/advisories/11377
http://secunia.com/advisories/11380
http://secunia.com/advisories/11391
http://secunia.com/advisories/11400
http://secunia.com/advisories/11405
http://secunia.com/advisories/11548
SGI Security Advisory: 20040404-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.400181
SuSE Security Announcement: SuSE-SA:2004:008 (Google Search)
XForce ISS Database: cvs-rcs-create-files(15864)
https://exchange.xforce.ibmcloud.com/vulnerabilities/15864
Common Vulnerability Exposure (CVE) ID: CVE-2004-0396
BugTraq ID: 10384
http://www.securityfocus.com/bid/10384
Bugtraq: 20040519 Advisory 07/2004: CVS remote vulnerability (Google Search)
http://cert.uni-stuttgart.de/archive/bugtraq/2004/05/msg00219.html
http://marc.info/?l=bugtraq&m=108498454829020&w=2
Bugtraq: 20040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) (Google Search)
http://marc.info/?l=bugtraq&m=108500040719512&w=2
Cert/CC Advisory: TA04-147A
http://www.us-cert.gov/cas/techalerts/TA04-147A.html
CERT/CC vulnerability note: VU#192038
http://www.kb.cert.org/vuls/id/192038
Computer Incident Advisory Center Bulletin: O-147
http://www.ciac.org/ciac/bulletins/o-147.shtml
Debian Security Information: DSA-505 (Google Search)
http://www.debian.org/security/2004/dsa-505
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0980.html
http://security.gentoo.org/glsa/glsa-200405-12.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2004:048
http://security.e-matters.de/advisories/072004.html
NETBSD Security Advisory: NetBSD-SA2004-008
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-008.txt.asc
OpenBSD Security Advisory: 20040520 cvs server buffer overflow vulnerability
http://marc.info/?l=openbsd-security-announce&m=108508894405639&w=2
http://www.osvdb.org/6305
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9058
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A970
http://www.redhat.com/support/errata/RHSA-2004-190.html
http://secunia.com/advisories/11641
http://secunia.com/advisories/11647
http://secunia.com/advisories/11651
http://secunia.com/advisories/11652
http://secunia.com/advisories/11674
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.395865
SuSE Security Announcement: SuSE-SA:2004:013 (Google Search)
http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021742.html
XForce ISS Database: cvs-entry-line-bo(16193)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16193
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.