RHEL 2.1 / 3 : cvs (RHSA-2004:004)

high Nessus Plugin ID 12446

Synopsis

The remote Red Hat host is missing a security update.

Description

Updated cvs packages closing a vulnerability that could allow cvs to attempt to create files and directories in the root file system are now available.

CVS is a version control system frequently used to manage source code repositories.

A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0977 to this issue.

Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue.

For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0844 to this issue.

Solution

Update the affected cvs package.

See Also

https://access.redhat.com/security/cve/cve-2002-0844

https://access.redhat.com/security/cve/cve-2003-0977

http://www.nessus.org/u?15fcc3b2

http://www.nessus.org/u?3767cc0a

https://access.redhat.com/errata/RHSA-2004:004

Plugin Details

Severity: High

ID: 12446

File Name: redhat-RHSA-2004-004.nasl

Version: 1.28

Type: local

Agent: unix

Published: 7/6/2004

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cvs, cpe:/o:redhat:enterprise_linux:2.1, cpe:/o:redhat:enterprise_linux:3

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 1/14/2004

Vulnerability Publication Date: 8/12/2002

Reference Information

CVE: CVE-2002-0844, CVE-2003-0977

RHSA: 2004:004