[cvsnt] ?Heap overflow vulnerability for cvsnt server 2.5.03?
Jan van Mastbergen
hal at onsnet.nu
Tue Feb 28 12:40:19 GMT 2006
I am running an instance of the free cvsnt server v2.5.03-2151 locally
on my laptop. It is periodically scanned in the company network by the
Nessus vulnerability scanner (http://www.nessus.org) which reports a
'12240 CVS pserver heap overflow' vulnerability.
What Nessus apparently does is not detect the vulnerability directly but
instead check the tested server's version number against a range of
known affected versions. These are version numbers of CVS as distributed
through project GNU (all 1.x). March Hare's distribution uses it's own
version numbers and is diagnosed as vulnerable.
This may or may not be true. I am looking for a statement about this
issue. Preferably the server should be modified to report a wider range
of CVS version numbers to non-CVSNT clients (Compatibility Options tab).
Regards, Jan van Mastbergen
More information about the cvsnt