Package name
cvsweb
Date
2000-07-14
Advisory ID
MDKSA-2000:019
Affected versions
7.1 i586

Problem description

Cvsweb contains a hole that provides attackers who have write access to a cvs repository with shell access. Thus, attackers who have write access to a cvs repository but not shell access can obtain a shell. In addition, anyone with write access to a cvs repository that is viewable with cvsweb can get access to whatever user the cvsweb cgi script runs as (typically nobody or www-data, etc.). This update closes all of these possibly exploited pipe-opens.

Updated packages

7.1 i586

 2a435a7edf358f59a93eb5534efcd273  7.1/RPMS/cvsweb-1.80-3mdk.noarch.rpm
24b7d490f63e154c88909c9b214793e0  7.1/SRPMS/cvsweb-1.80-3mdk.src.rpm