Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Hi, I am running an instance of the free cvsnt server v2.5.03-2151 locally on my laptop. It is periodically scanned in the company network by the Nessus vulnerability scanner (http://www.nessus.org) which reports a '12240 CVS pserver heap overflow' vulnerability. What Nessus apparently does is not detect the vulnerability directly but instead check the tested server's version number against a range of known affected versions. These are version numbers of CVS as distributed through project GNU (all 1.x). March Hare's distribution uses it's own version numbers and is diagnosed as vulnerable. This may or may not be true. I am looking for a statement about this issue. Preferably the server should be modified to report a wider range of CVS version numbers to non-CVSNT clients (Compatibility Options tab). Regards, Jan van Mastbergen