- Package name
- Advisory ID
- Affected versions
- 7.1 i586
Cvsweb contains a hole that provides attackers who have write access to a cvs repository with shell access. Thus, attackers who have write access to a cvs repository but not shell access can obtain a shell. In addition, anyone with write access to a cvs repository that is viewable with cvsweb can get access to whatever user the cvsweb cgi script runs as (typically nobody or www-data, etc.). This update closes all of these possibly exploited pipe-opens.
2a435a7edf358f59a93eb5534efcd273 7.1/RPMS/cvsweb-1.80-3mdk.noarch.rpm 24b7d490f63e154c88909c9b214793e0 7.1/SRPMS/cvsweb-1.80-3mdk.src.rpm