Debian Security Advisory DSA 505-1 (cvs) Network Vulnerability

Summary

The remote host is missing an update to cvs announced via advisory DSA 505-1.

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20505-1

Insight

Stefan Esser discovered a heap overflow in the CVS server, which serves the popular Concurrent Versions System. Malformed Entry Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was prooven to be exploitable. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody4. For the unstable distribution (sid) this problem has been fixed in version 1.12.5-6. We recommend that you upgrade your cvs package immediately.

Severity

Classification

CVE CVE-2004-0396

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 1024-1 (clamav)
Debian Security Advisory DSA 1039-1 (blender)
Debian Security Advisory DSA 1015-1 (sendmail)
Debian Security Advisory DSA 1072-1 (nagios)
Debian Security Advisory DSA 107-1 (jgroff)

Take action and discover your vulnerabilities