Slackware: cvs double free vulnerability
Posted by LinuxSecurity.com Team   
Slackware On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges.

New cvs packages are available to fix a security vulnerability.

Here are the details from the Slackware 8.1 ChangeLog:

----------------------------
Tue Jan 21 13:12:20 PST 2003
patches/packages/cvs-1.11.5-i386-1.tgz:  Upgraded to cvs-1.11.5.
   This release fixes a major security vulnerability in the CVS server
   by which users with read only access could gain write access.
   Details should be available at this URL (but don't seem to be yet):
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
   (* Security fix *)
----------------------------


WHERE TO FIND THE NEW PACKAGE:
------------------------------
Updated cvs package for Slackware 8.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.5-i386-1.tgz

Updated cvs package for Slackware -current: 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.5-i386-1.tgz


MD5 SIGNATURE:
--------------

Here is the md5sum for the package:

Slackware 8.1:
37d76c774c9474bf0117d429d6c3740e  cvs-1.11.5-i386-1.tgz

Slackware -current:
c43d82187dfa695aa53aaf5b4d3050a1  cvs-1.11.5-i386-1.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

As root, upgrade to the new cvs.tgz package:
# upgradepkg cvs.tgz

Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
   http://www.slackware.com