Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Andreas Tscharner wrote: > Hello World, hello Tony, > > The page > http://security.e-matters.de/advisories/092004.html > describes six new security issues of the original Unix CVS. Is CVSNT > affected by any of them? > It doesn't look like it at first glance. I put in global double-free protection after the first scare a couple of years ago, so that's well covered anyway. Anything related to CVSROOT access isn't urgent and might be worth looking at at some point (only an idiot would give CVSROOT checkin access to an untrusted user... it's relatively easy to breach security given such access anyway). Integer overflows don't crash Intel systems so that's low priority (the only thing max-dotdot is used for is a comparison so you'd get bogus results rather than a crash). There simply isn't enough detail in that report to give an absolute yes or no to any of them (except the double free bugs, which cvsnt is not vulnerable to). I'm not told of these things in any more detail than anyone else... cvsnt has too few users/is too unimportant to get early notification of security issues. Going on those descriptions and what I know of the code though I think we're pretty safe. Tony