Skip to content   CVS Version Control  |  Other Software  |  All Downloads  |  Buy Online  |  Get Support Now  |  Documentation Library    
Skip to content
Skip to content  march-hare.com Logo Skip to content
 
Last Modified: Friday,October 4, 2024 Home > CVS > Security 
What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

What is a "vulnerability"?

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.

Are there any recent security announcements?

We notify customers promptly of security issues by email. Customers are informed of major security events and security releases via a HTML security newsletter. You can read our latest security newsletter here.

Does the CVS Suite software rely on any web services provided by march-hare.com?

CVS Suite software DOES NOT rely on any web services provided by march-hare.com. The software we license to you is ran on your own hardware and operates without any connection to our servers. We do security testing/pentest as a normal part of our business, but this does not affect the software we license to you. If our web presence were to totally disappear, the software you have licensed from us would continue to work uninterrupted. We have disaster recovery plans in place for all our software, services, build infrastructure, databases etc. But even if we didn't - this would not affect our customers.

What about OpenSSL "vulnerabilities"?

We do not list all the security issues for the dependent OpenSSL library on windows, but we do list major ones such as CVE-2016-0800 and CVE-2015-0204 and CVE-2014-0160. For a full list of the security notifications for OpenSSL see the OpenSSL web site. As of October 4, 2024 - the windows version of CVS Suite (CVSNT) includes OpenSSL 3.0.15. Check the latest release notes for more up to date information.

What about PuTTY plink "vulnerabilities"?

We do not list all the security issues for the dependent PuTTY plink library on windows, but we do list major ones such as CVE-2017-6542 and CVE-2004-1008 and CVE-2015-2157. For a full list of the security notifications for PuTTY see the PuTTY web site. As of June 19, 2020 - the windows version of CVS Suite (CVSNT) includes a modified copy of PuTTY PLINK 0.70 plus the Debian patch for CVE-2019-9898. It is important to check the latest release notes and this page for more up to date information, because we irregularly merge in patches from later releases of PuTTY if they are relavent. Both the CVS Suite 2009-7350 and 2009-7480 releases describe the included Putty Version as 0.70 even though it does also include the patch for CVE-2019-9898 (even though Putty 0.70 did not include that patch). We may update the Putty Version number expressed by the plugin in CVS Suite at a later date.

Security FAQs:


CVE-2018-25032 discovered in in ZLIB [CVSS 2.0: Medium]
CVE-2019-9898 discovered in in PuTTY [CVSS 2.0: High]
CVE-2013-4208 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2015-2157 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2017-6542 discovered in in PuTTY [CVSS 2.0: High]
CVE-2013-4207 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2015-5309 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4206 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4852 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2004-1008 discovered in in PuTTY [CVSS 2.0: High]
Vulnerability or Exposure Note 7254 (CVE-2018-6461) in WinCVS
CVE-2010-3190 discovered in MFC
CVE-2016-0800 discovered in openssl
CVE-2015-2157 discovered in in PuTTY
CVE-2015-0204 discovered in openssl / CVE-2015-1637 discovered in Schannel
CVE-2014-0160 discovered in openssl
CVE-2012-0804 discovered in CVS
CVE-2010-3846 discovered in CVS
Vulnerability or Exposure Note 5871 (CVE-2010-1326) in CVSNT
CVE-2009-3736 discovered in libltdl (libtool)
CAN-2005-2096 discovered in zlib
CAN-2005-2693 discovered in CVSBUG
CAN-2005-2491 discovered in the PCRE library
Misconfigured CVSNT Servers on Unix and Linux do not enforce limited repositories
CAN-2005-0753 discovered in CVS
CAN-2004-0396 discovered in CVS
CAN-2004-0778 discovered in CVS
Is CVSNT more secure than CVS?
Can CVS/CVSNT client users execute arbitrary programs on the server?
What can I do to maximise the security of my CVS installation?
Why are security protocols/authentication mechanisms important?
What are the drawbacks to using server authentication?
What security protocols/authentication mechanisms do March Hare Software recommend?
What is a "chroot jail" and how do I set one up?



Is CVSNT affected by the security vulnerability CVE-2018-25032 discovered in ZLIB?


CVS Suite (CVSNT) Server and Client may be affected by CVE-2018-25032 [CVSS 2.0: Medium] unless compression is disabled (eg: cvs -z0 checkout). Versions of CVSNT 2.8.01 build 8078, CVSNT 2.8.02 build 8078, CVS Suite 2009-8078, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. On many versions of Linux including Red Hat Enterprise Linux 7, CVS Suite will use the system zlib and not an 'internal' zlib. In this case upgrading the system zlib will resolve this security issue and an upgrade to CVS Suite itself is not required. We believe that it would be difficult to attack a CVSNT Server using CVE-2018-25032 as a vector, including an attacker being able to commit a malicious file to the repository, or directly place malicious files in the repository for download by the client. Even if an attack is possible, general file system security and system authentication security should defeat it in most situations. However build 8078 and later include zlib's fixes and customers who are concerned that this vulnerability may affect them should upgrade.

Is CVSNT affected by the security vulnerability CVE-2019-9898 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2019-9898 [CVSS 2.0: High]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7350, CVSNT 2.8.02 build 8078, CVS Suite 2009-7350, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when they are available. The SSH connector included in CVS Suite 2009-7350 and 2009-7480 and 2010-8078 identifies PLINK as version 0.70, however it has the fix for this applied. We may elect to change this version number later to reflect that this has been patched, but this has not yet been decided.

Is CVSNT affected by the security vulnerability CVE-2013-4208 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2013-4208 [CVSS 2.0: Low]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2015-2157 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2015-2157 [CVSS 2.0: Low]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2017-6542 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2017-6542 [CVSS 2.0: High/CVSS 3.x: Critical]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2013-4207 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2013-4207 [CVSS 2.0: Medium]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2015-5309 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2015-5309 [CVSS 2.0: Medium]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2013-4206 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2013-4206 [CVSS 2.0: Medium]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2013-4852 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2013-4852 [CVSS 2.0: Medium]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Is CVSNT affected by the security vulnerability CVE-2004-1008 discovered in Putty?


If you use the :ssh: protocol, then CVSNT may be affected by CVE-2004-1008 [CVSS 2.0: High]. The Putty team description of this bug is available here. Versions of CVSNT 2.8.01 build 7272, CVSNT 2.8.02 build 8078, CVS Suite 2009-7272, CVS Suite 2010-8078 and later builds of CVS Suite 2009 and CVS Suite 2010 are not affected by this issue. We have not yet issued a fix for CM Suite and will update this note when when it is are available.

Vulnerability or Exposure Note 7254 (CVE-2018-6461) in WinCVS


Please refer to Vulnerability or Exposure Note 7254 for detailed information.

CVS Suite 2009R2 [CVSNT 2.8.01.6610] (released after 1st February 2018) is not affected by this issue. This vulnerability was discovered by hyp3rlinx / apparition security

Is WinCVS and WinMerge affected by the recent security vulnerability CVE-2010-3190 Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library.


Community Versions of WinMerge before 2.14 (including version 2.12.4) are affected by CVE-2010-3190. All Versions of WinMerge before CVS Suite 2009R2 build 6610 are affected by CVE-2010-3190. All versions of WinCVS before CVS Suite 2009R2 build 6610 are affected by CVE-2010-3190.   Note: The mitigations for CVE-2018-6461 (described in Vulnerability or Exposure Note 7254) also addresses this issue by explicitly disabling the Current Working Directory from the DLL LoadLibrary path. To resolve this issue upgrade to CVS Suite 2009R2 build 6610 or later, or read the Microsoft publication KB2264107 and install the hotfix and registry setting as a mitigation for this vulnerability or exposure. This vulnerability was discovered by hyp3rlinx / apparition security.

Is CVSNT affected by the recent security vulnerability CVE-2018-6461 nicknamed "DROWN" (Decrypting RSA with Obsolete and Weakened eNcryption) discovered in OpenSSL.


CVSNT 2.x SSERVER and SYNC are impacted by CVE-2016-0800.   Note: The mitigations in place in CVS Suite 2009-5561 and CVS Suite 2010-5561 for CVE-2015-0204 also addresses this issue by explicitly disabling SSLv2 and restricting the ciphers depending on the default or the user specified cipher list. However in an abundance of caution we have upgraded the OpenSSL library in CVS Suite for Windows 2009-6145 and later. On Windows we recommend using CVS Suite 2009-6145 (released after 1st December 2016) or CVS Suite 2010-6145 (released after 1st December 2016). On Linux and Mac OS X please refer to the notes for CVE-2015-0204.

Is CVSNT affected by the recent security vulnerability CVE-2010-3190 nicknamed "DROWN" (Decrypting RSA with Obsolete and Weakened eNcryption) discovered in OpenSSL.


CVSNT 2.x SSERVER and SYNC are impacted by CVE-2016-0800.   Note: The mitigations in place in CVS Suite 2009-5561 and CVS Suite 2010-5561 for CVE-2015-0204 also addresses this issue by explicitly disabling SSLv2 and restricting the ciphers depending on the default or the user specified cipher list. However in an abundance of caution we have upgraded the OpenSSL library in CVS Suite for Windows 2009-6145 and later. On Windows we recommend using CVS Suite 2009-6145 (released after 1st December 2016) or CVS Suite 2010-6145 (released after 1st December 2016). On Linux and Mac OS X please refer to the notes for CVE-2015-0204.

Is CVSNT affected by the recent security vulnerability CVE-2015-0204 nicknamed "DROWN" (Decrypting RSA with Obsolete and Weakened eNcryption) discovered in OpenSSL.


CVSNT 2.x SSERVER and SYNC are impacted by CVE-2016-0800.   Note: The mitigations in place in CVS Suite 2009-5561 and CVS Suite 2010-5561 for CVE-2015-0204 also addresses this issue by explicitly disabling SSLv2 and restricting the ciphers depending on the default or the user specified cipher list. However in an abundance of caution we have upgraded the OpenSSL library in CVS Suite for Windows 2009-6145 and later. On Windows we recommend using CVS Suite 2009-6145 (released after 1st December 2016) or CVS Suite 2010-6145 (released after 1st December 2016). On Linux and Mac OS X please refer to the notes for CVE-2015-0204.

Is CVSNT affected by the recent security vulnerability CVE-2015-2157 discovered in Putty?


CVSNT is affected by CVE-2015-2157. Versions of CVSNT 2.8.01 build 5698, CVS Suite 2009-5698, CVS Suite 2010-5698 and later are not affected by this issue. We have also applied the Putty diffie-hellman range check patch (MATTA-2015-002) to this release.

Is CVSNT affected by the recent security vulnerability CVE-2015-0204 nicknamed "FREAK" (Factoring RSA Export Keys) discovered in OpenSSL and/or CVE-2015-1637 discovered in Schannel?


Please refer to CVSNT 2.x SSERVER and SYNC impacted by CVE-2015-0204 and/or CVE-2015-1637 note for detailed information.   Note: this fix also addresses the known RC4 weak encryption problem, so called 'Bar Mitzvah'.

CVS Suite 2009-5561 [CVSNT 2.8.01.5561] (released after 30th March 2015) and CVS Suite 2010-5561 [CVSNT 2.8.02.5561] (released after 30th March 2015) are not affected by this issue. CVS Suite 2009-6002, 2009-6052, 2009-6094, 2010-6002, 2010-6052, 2010-6094 are still vulnerable. We recommend using CVS Suite 2009-6145 (released after 1st December 2016) or CVS Suite 2010-6145 (released after 1st December 2016).

Is CVSNT affected by the recent security vulnerability CVE-2014-0160 discovered in OpenSSL?


No. CVS Suite 2008R2, CVS Suite 2009 and CVS Suite 2009R2 are not affected by CVE-2014-0160.

Is CVSNT affected by the recent security vulnerability CVE-2012-0804 discovered in CVS?


No. CVSNT is not affected by CVE-2012-0804. Versions of CVS 2.x are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CVE-2010-3846 discovered in CVS?


No. CVSNT is not affected by CVE-2010-3846. Versions of CVS 2.x are not affected by this issue.

Vulnerability or Exposure Note 5871 (CVE-2010-1326)


Please refer to Vulnerability or Exposure Note 5871 for detailed information.

CVS Suite 2008 [CVSNT 2.5.03.3736] (released after 16th March 2010), CVS Suite 2009 [CVSNT 2.8.01.3729] (released after 11th March 2010), CVSNT 2.5.04.2862 (released after 26th October 2007) and later including CVSNT 2.5.05 are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CVE-2009-3736 discovered in libltdl (libtool)?


CVSNT is not affected by CVE-2009-3736. CVSNT uses libtool on Linux/Unix (Solaris and HPUX) and Mac OS X to hide the complexity of loading dynamic runtime libraries - it is NOT used on MS Windows. The vulnerability is limited to software that uses libltdl to load libraries that have an associated .la file with a non-empty old_library field and is only a problem if a static archive was built. On Unix/Linux and Mac OS X, CVSNT is only run privileged (and therefore needs to be secure) when started from inetd, xinetd or cvsmanager - in these cases the user LD_LIBRARY_PATH and/or current directory cannot be compromised without already having root privileges.

Is CVSNT affected by the recent security vulnerability CAN-2005-2096 discovered in the zlib?


CVSNT on some systems/platforms is affected by CAN-2005-2096. If on your platform CVSNT is linked to a shared version of zlib then you should contact your operating system vendor to ensure the zlib has been updated to resolve this issue. Statically linked Versions of CVSNT 2.5.03 (released after 23rd June 2006) are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CAN-2005-2693 discovered in the CVSBUG?


No. CVSNT is not affected by CAN-2005-2693. Versions of CVSNT 2.x (released on 4th April 2003) are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CAN-2005-2491 discovered in the PCRE library?


Yes. CVSNT is affected by CAN-2005-2491. Versions of CVSNT 2.5.02 build 2088 and later (released on 12th September 2005) are not affected by this issue. To exploit this vulnerability the attacker would already require access to the CVSROOT. CVSNT is designed so that any person with access to CVSROOT should be assumed to have permission to run arbitrary code on the server, therefore the risk of damage caused by this vulnerability is classified as low for CVSNT server users. Running CVSNT in a chroot jail will prevent any attack affecting other software running on the same server.

Misconfigured CVSNT Servers on Unix and Linux do not enforce limited repositories


CVSNT is designed to restrict access to defined repositories on a server. If CVSNT is misconfigured on a Linux or Unix server then this fucnction may be disabled. The configuration file /etc/cvsnt/PServer should be readable by all users to ensure that the CVSNT server can read the list of available repositories. Versions of CVSNT 2.5.02 (released on 22nd August 2005) are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CAN-2005-0753 discovered in CVS?


No. CVSNT is not affected by CAN-2005-0753. Versions of CVSNT 2.x (released on 4th April 2003)are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CAN-2004-0396 discovered in CVS?


CVSNT is not affected by CAN-2004-0396. Versions of CVSNT 2.x (released on 4th April 2003) are not affected by this issue.

Is CVSNT affected by the recent security vulnerability CAN-2004-0778 discovered in CVS?


CVSNT is affected by CAN-2004-0778. Versions of CVSNT 2.0.51 build D and later are not affected by this issue. On Unix (Solaris, HPUX, Red Hat, Mac OS X etc) this problem does not arise if CVS is protected in a "chroot jail" as recommended by March Hare Software (see below). On Windows systems the vulnerability is of limited value since it only allows the hacker to identify that a file exists, not execute it or read it. Since most windows systems contain the same files in the same location having such a "back door" is of limited use.

Is CVSNT more secure than CVS?


CVSNT is not immune from security vulnerabilities - however we have mitigated the risks to CVSNT users by designing it to operate in a secure and robust way. The evidence is that CVSNT is not affected by CAN-2004-0396.

CVSNT 2.0.51b includes the ability to lock down the server (in a "chroot jail") so it always operates as a nonprivileged user. As well as dropping privileges the whole process is then sandboxed into a small area and cannot go any further.

Can CVS/CVSNT client users execute arbitrary programs on the server?


It should be assumed that anyone with commit access to the CVSROOT directory in the repository is capable of running any arbitrary executable. CVSNT server allows you to specify permissions on each directory to prevent this access. Additional security tools such as chroot and run-as-user also help guard against arbitrary code execution by clients.

What can I do to maximise the security of my CVS installation?


We recommend our CVS Professional Support services which will keep you informed of security issues and have an installation programme designed to ensure that CVSNT is correctly configured at your site.

Why are security protocols/authentication mechanisms important?


The authentication mechanism is separate to the rest of the CVSNT and until you can log on you cannot use any of the more sophisticated hacking techniques to damage files and folders.

Authentication can be further removed to the operating system of the server itself. For maximum security March Hare recommend allowing the server operating system to handle security: SSPI (kerberos only w/NTLM disabled), and ssh (using a Unix server and high strength RSA keys).

What are the drawbacks to using server authentication?


Some administrators can be concerned that allowing the server operating system to authenticate users can pose a security threat in itself. The expectation being that if a hacker can bypass the operating system security then they have "free reign".

This can be mitigated by setting expiration times on the security tickets (eg: Microsoft Active Directory has a kerberos ticket lifetime that can be locked down so it doesn't automatically renew), and the CVSNT passwd file can be used to restrict authenticated users to a subset of the possible users on the server.

What security protocols/authentication mechanisms do March Hare Software recommend?


We recommend that pserver is disabled (CVSNT allows protocols to be disabled without the need to re-compile). For specific client and server protocols please see the tables below:

Server Platform Security RecommendationProtocolCVSNTCVS
Server
 Windowssserver1YESNO
 Mac OS XsshYESNO3
 UnixsshYESNO3

Client Platform Security RecommendationProtocolCVSNTCVS
Client (Server)
 Windows (Windows)sserver1YESNO
 Windows (non-Windows)sshYESNO3
 Mac OS X or Unix (Windows)sserver or gserver2YESNO
 Mac OS X or Unix (Non-Windows)sshYESNO3

Notes
1: SSPI is also considered secure provided that Active Directory is set to enable kerberos authentication only (ie NTLM disabled)
2: Where Gserver is available it provides equivalent security to ssh
3: CVS can be configured to use SSH, however additional tools and configuration are required (CVSNT includes an SSH protocol to make this simpler)


What is a "chroot jail" and how do I set one up?


A "chroot jail" is a security mechanism for Unix based operating environments such as Red Hat Linux, Solaris, HPUX and Mac OS X. It is a place to install CVSNT so that no other files can be accessed either accidentally or by a hacker.

Set the Chroot variable in /etc/cvsnt/PServer and it'll chroot after doing the authentication - you no longer need to put any libraries in the chroot which is much safer (it just needs a /tmp to put the temporary files in).


About Us | Customer Area | Contact us | Prices & Ordering | Feedback | Privacy Policy

Copyright © 2015. March Hare Pty Ltd
All rights reserved.