Vulnerability in CVS Software is Patched
19th April, 2005
Serious vulnerabilities have been found in Concurrent Versions System, a source code maintenance system used by many open source development projects. The security holes, which could allow a remote compromise of unpatched servers, are addressed in a security update from the CVS development team.
Version 1.12.2 of CVS fixes a potentially serious buffer overflow. "An attacker could exploit these vulnerabilities to cause a Denial of Service or execute arbitrary code with the permissions of the CVS pserver or the authenticated user," warned an advisory from Gentoo Linux, posted on the BugTraq list.
CVS is the dominant open source software for version control, which manages development efforts by tracking revisions. As such, it's a potentially lucrative target for hackers seeking to spread exploits through source downloads and synchronized updates and patches.
Last year the CVS project web server was compromised by hackers who found and exploited a buffer overflow. The server was taken offline and cleaned, but the incident prompted an alert from US-CERT, the agency coordinating U.S. cybersecurity awareness.
Netcraft offers a range of advanced security services, including The Netcraft Network Examination, an automated vulnerability test of Internet-connected networks which checks for new security vulnerabilities and configuration errors caused by system and network maintenance.