A CVE has been assigned for a security issue in CVS: http://openwall.com/lists/oss-security/2017/08/11/4 This is equivalent issue for CVS to the recently announced issue also affecting subversion (Bug 21495), mercurial (Bug 21502), and git (Bug 21503). Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer of cvs.
CC: (none) => marja11Assignee: bugsquad => shlomif
Debian has issued an advisory for this on August 13: https://www.debian.org/security/2017/dsa-3940
Pushed in updates_testing: src.rpm: cvs-1.12.13-25.1.mga5 cvs-1.12.13-26.1.mga6
Assignee: shlomif => qa-bugsCC: (none) => mageia
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Advisory: ======================== Updated mercurial package fixes security vulnerability: It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command (CVE-2017-12836). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 https://www.debian.org/security/2017/dsa-3940 ======================== Updated packages in core/updates_testing: ======================== cvs-1.12.13-25.1.mga5 cvs-1.12.13-26.1.mga6 from SRPMS: cvs-1.12.13-25.1.mga5.src.rpm cvs-1.12.13-26.1.mga6.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues, installed tkcvs as well (GUI is a help) Got to make new repos and import some files into it by doing at CLI: cvs -d <some empty folder> init cd Documents tkcvs -root <folder as above> and importing CWD into repos. All seems OK.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
mga6 x86_64 tkcvs already installed. Installed cvs and followed in Herman's footsteps to create a local repository, switched to tkcvs to check in my bin directory then checked that out into a new empty directory on my data partition. Installed the updated package and ran through the sequence again, starting from scratch. One thing to note is that cvs deals in absolute pathnames: e.g. $ cvs -d qa/cvs init qa: host unknown trying normal rsh (/usr/ucb/rsh) exec: No such file or directory cvs [init aborted]: end of file from server (consult above messages if any) $ cvs -d /home/lcl/qa/cvs init $ tree cvs cvs └── CVSROOT ├── checkoutlist ├── checkoutlist,v ├── commitinfo ................................. ├── val-tags ├── verifymsg └── verifymsg,v 2 directories, 32 files $ cd bin $ tkcvs -root /home/lcl/qa/cvs Used the module browser to check in the bin files to CVS. That all seemed to run fine but I must admit to some confusion about how to specify module paths. This was the result: cvs]$ tree . ├── bin │ ├── accumulate,v │ ├── backdocs,v .................... │ ├── yam,v │ └── zipx,v └── CVSROOT ├── checkoutlist and so on. Went back in to CVS and checked out the bin module into the current directory which was ~/tmp. That worked fine. ~/tmp/bin all present and correct. So, yes, cvs still works.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Validating, advisory uploaded.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => advisory MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/cvs-1.12.13-25.mga5) â (6/core/cvs-1.12.13-26.mga6) 'validated_update' keyword reset.
Keywords: validated_update => (none)
Fixed advisory.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0284.html
Status: NEW => RESOLVEDResolution: (none) => FIXED