OpenBSD: cvs Multiple vulnerabilities
Posted by LinuxSecurity.com Team   
OpenBSD While no exploits are known to exist for these bugs under OpenBSD at this time, some of the bugs have proven exploitable on other operating systems.

An audit of the cvs codebase performed by Stefan Esser and Sebastian
Krahmer has found some potential remote vulnerabilities in cvs.

While no exploits are known to exist for these bugs under OpenBSD
at this time, some of the bugs have proven exploitable on other
operating systems.  Therefore, we encourage users running cvs servers
to patch their systems.  Users running cvs clients (but not servers)
do not need to update.

The fixes have been committed to OpenBSD-current as well as the
3.4 and 3.5 -stable branches.

Patches against OpenBSD 3.4 and 3.5 are also available:
     ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/023_cvs3.patch
     ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.5/common/011_cvs3.patch

For more details, please see:
     http://security.e-matters.de/advisories/092004.html