[cvsnt] Re: Latest update
Tony Hoyle
tmh at nodomain.org
Wed Apr 14 15:40:38 BST 2004
On Tue, 13 Apr 2004 21:53:20 +0100, Tony Hoyle <tmh at nodomain.org>
wrote:
>cvsnt 2.0.38. Stable release.
>
>Just a bugfix release from the last revision (2.0.37).
>
This also addresses the following (synchronised release with the
cvshome.org server):
SERVER SECURITY ISSUES
* Piped checkouts of paths above $CVSROOT no longer work. Previously,
clients
could have requested the contents of RCS archive files anywhere on a
CVS
server.
CLIENT SECURITY ISSUES
* Clients now check paths from the server to verify that they are
within one of
the sandboxes the user requested be updated. Previously, a trojan
server
could have written or overwritten files anywhere the user had
access,
presenting a serious security risk.
These fixes are also in 2.0.37.
For obvious reasons, upgrading is recommended.
Tony
More information about the cvsnt
mailing list