Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Root Exploit in CVS

Posted by michael on Tuesday January 21, 2003 @08:20AM from the checking-out dept.

RenHoek writes "Security expert Stefan Esser from E-matters discovered a bug in CVS version 1.11.4 and lower, that can give malignant users remote root access. The exploit was confirmed on BSD, but other OS's like Linux, Solaris and Windows are vulnerable too. A security advisory can be found here and there is also a patch available. CVS version 1.11.5 which is fixed can be downloaded as well."

1 of 209 comments (clear)

Min score:

Reason:

Sort:

Re:cvs as root? by jhealy1024 · 2003-01-21 08:44 · Score: 5, Informative

What fool runs their cvs pserver as root?

Ummm... People using Debian?

On a stock Woody box:

grep cvs /etc/inetd.conf cvspserver stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/cvs-pserver