[cvsnt] Re: Recent cvs vulnerability.
Michael Kennedy [UB]
mkennedy at REMOVETHIS.unitedbinary.com
Wed Jun 16 20:21:44 BST 2004
What is the lowest version number that contains the extra measures against
the security holes?
"Tony Hoyle" <tmh at nodomain.org> wrote in message
news:calc5n$cdn$2 at paris.nodomain.org...
> Jonathan Belson wrote:
> > Hiya
> > I notice that the cvshome.com recently got hit by a remote exploit, and
> > I was wondering if cvsnt shared this vulnerability (I looked back
> > the mailing list archives but didn't see any references to it).
> > This site implies that only pserver is affected:
> > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396
> > but cvshome.com suggests that *any* remote protocol is vulnerable.
> > My server uses sspi and has pserver disabled - do I have anything to
> > about?
> CVSNT has some extra checks that reduce the impact of such problems, but
> as far as I can tell it isn't vulnerable anyway. I've tightened up some
> of the checking in the development versions to specifically check for
> someone trying something though.
More information about the cvsnt