CVSNT 2.x Client & Server, SSERVER and SYNC impacted by ZLIB and OpenSSL Security Advisories
March Hare Software CVS Suite (CVSNT) uses the ZLIB library in CVSNT Client and Server, and also the OpenSSL encryption libraries within SSERVER and SYNC protocols which have known security vulnerabilities. Important security advisories related to this release:
CVE-2018-25032 discovered in in ZLIB [CVSS 2.0: Medium]
CVE-2022-0778 discovered in in OpenSSL [Severity: High]
CVE-2021-4160 discovered in in OpenSSL [Severity: Moderate]
CVE-2021-3711 discovered in in OpenSSL [Severity: High]
CVE-2021-3450 discovered in in OpenSSL [Severity: High]
CVE-2021-23841 discovered in in OpenSSL [Severity: Moderate]
CVE-2020-1971 discovered in in OpenSSL [Severity: High]
CVE-2020-1967 discovered in in OpenSSL [Severity: High]
CVE-2019-1551 discovered in in OpenSSL [Severity: Low]
More information is available at https://www.march-hare.com/cvspro/security.htm
Who is affected?
Windows, MacOS, Linux. Unix, OS/400 and z/Linux customers are affected.
If you are using Linux with the CVS Suite -rhel5- or -rhel7- packages then your system vendor will provide updates to resolve these security issues by updating the shared libraries. Contact your linux vendor for updates. You do NOT have to upgrade CVS Suite.
If you are using Ubuntu or SLES Linux with the CVS Suite x64 -sl9- or .deb.gz packages then your system vendor will provide updates to resolve these security issues by updating the shared libraries. Contact your linux vendor for updates. You do NOT have to upgrade CVS Suite.
On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable copy of ZLIB library statically linked to the file named cvsnt.exe and the sserver_protocol.dll , sync_protocol.dll , protocols/sync.dll or protocols/sserver.dll contain links with OpenSSL. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named ssleay32_vc71.dll and libeay32_vc71.dll .
The only currently available workaround is to use cvs -z0 and an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.
Solution - Apply an Update
On Unix and Linux (except the -rh9- package) - installing the Operating System vendor's ZLIB and OpenSSL patches will resolve the issue for that server/PC.
On Windows (client and server) you will need to install an updated release of CVS Suite (CVSNT). This issue is addressed in CVS Suite 2009R2 Build 8078 and CVS Suite 2010 Build 8078. Customers with an active software maintenance contract will be able to download the update from the customer area of the march-hare.com web site.
Release Notes
CVS Suite 2009-8078 also includes improvements to the eBook documentation and more - the release notes detailing all changes since 2009-7272 are available. Release notes for changes since the last community edition 2.5.03.2382 and changes since CVS Suite 2008 are also available.
Support expired? No download in customer area?
If you purchased CVS Suite 2008 with a free upgrade to CVS Suite 2009 - that upgrade was in the customer downloads area from July 2010 onwards.
All customers can download the software they purchased for 120 days from the purchase date only. To get the latest updates, you need to purchase annual software maintenance and support (5 levels to choose from).
If you previously purchased annual maintenance and support, but it has expired and you have not received an invoice for renewal, you can email renewals@march-hare.com for a quote.
Purchase/Renew Online (web store) and PayPal
In May 2021 our old cloud based web store vendor unexpectedly announced that our 'product level' would not entitle us to the latest credit card / PCI compliance, which suddenly prevented us from accepting any credit card payments. They offered to 'upgrade' us to a higher level if we paid significantly more annually (several hundred percent more). We decided that this was not a good use of the money you pay us to maintain CVS Suite. So we decided to take advantage of the opportunity to bring the web store 'in house'. During the period the web store is unavailable, we are taking payment by PayPal. Just email sales@march-hare.com for a PayPal invoice. We expect our new online store to be back later this month.
Renewal Notices
The system we use for quotations, invoices and renewal notices was tied closely with our online store. Unfortunately this upgrade has taken an extended period to complete which has affected our ability to send automated renewal notices when your maintenance expires. We sincerely apologise for any inconvenience this has caused. Please email renewals@march-hare.com for a quote or invoice if our manual process has missed you.
Forgot your customer area password?
On the login page use the link labelled Forgot your password?. Enter your e-mail address, then click send email. As part of our migration to a customer identity management system all customer passwords were reset on June 22, 2021.
Patch/Update schedule
If a customer has reported a problem that we diagnose as requiring an update/patch to the software, these patch releases are made available on a fortnightly cycle. No udpates will be made during August or January (summer & Christmas vacations). If updates are available they will be published on: May 20, 2022; June 3, 2022; June 17, 2022; July 1, 2022; July 15, 2022; September 23, 2022, October 7, 2022; October 21, 2022; November 4, 2022 etc.
Release Cycle Changes
On 6th February 2020 we announced a release plan for major updates to CVS Suite. Within four weeks the global impacts of the COVID-19 pandemic were being felt and customers were asking us not to make such large changes during a period of great uncertainty. We therefore focussed on updating internal systems (see above) and put these plans on hold. Once our internal system upgrades are complete, we will once again proceed with our plans for major software updates.
We will continue to develop and release CVS Suite 2009R2, however later in 2022 we will begin releasing two options for windows customers: 'winxp/7/8/10' and 'new:win10/11' releases. The 'new:win10/11' releases will be built using a newer buildchain, but will be otherwise the exact same code/product. We will be encouraging all customers running Windows 10/11 or Server 2016/2019/2022 to upgrade using the newer installers. Customers on older versions of windows will have access to the exact same software releases, but built using the old toolchain.
We are releasing support for Ubuntu 14.04 LTS and 18.04 LTS in 2022.
Later in 2022 we will be again looking at the 2.8.02 product, which will only support newer operating systems like Windows 10/11, Windows Server 2016-2022, Red Hat 8 and SuSE 11/12.
Some of our integrations currently rely on 'old' versions of partner products (like Jira). Usually we only update these with 'new' releases of CVS Suite like 2.8.02 - however because of the extended lifetime of CVS Suite 2009R2 we are looking to try and update these within the 2009R2 lifecycle. If you have a particular requirement please discuss this with your technical account manager.
If you have any questions or concerns about this plan, please discuss them with your technical account manager or email sales@march-hare.com.
HPUX (Itanium and PA-RISC) and Solaris (Sparc)
Due to declining customer interest in these platforms we are no longer creating new builds and releases. We still retain the capability of suporting and releasing builds for these platforms, should a customer request it.
AIX (PowerPC), z/Linux (PowerPC) and other platforms
We have performed internal testing on several other platforms and are able to quickly deliver solutions for them. However at this time we are not planning on releasing builds for these platforms until a customer requests it through our 'pay for feature' programme.
The schedule
We announce today the planned release and support schedule for CVS Suite.
|
CVS Suite 2009R2 with high performance server |
CVS Suite | Windows XP-Windows 10(11*), Mac, Red Hat Enterprise Linux ES4/5/6/7 | Available now |
CVS Suite x64 | SLES9 / Ubuntu | Available now |
CVS Suite new | Windows 10 & 11 | Estimate: Q4 2022 |
Plugin Update | Windows 10 & 11, Mac, Red Hat Enterprise Linux 7/8 | Estimate: Q1 2023 |
|
CVS Suite 2.8.02 with new features |
CVS Suite | Windows 10 & 11, Mac, Red Hat Enterprise Linux 7/8 | Estimate: Q2 2023 |
CVS Suite x64 | SLES11/12, Ubuntu | Available: TBA |
|
CVS Suite 2.8.03 with Team View & Server Change Management |
CVS Suite | Windows 10 & 11, Mac, Red Hat Enterprise Linux 7/8 | Available: TBA |
CVS Suite x64 | SLES11/12, Ubuntu | Available: TBA |
|
Support for other platforms available on request. note *: we have not tested this release on Windows 11, however Microsoft have informed us that our Windows 10 release should be compatible. If you encounter specific problems with Windows 11 please contact us. |
Other products
These products are also available now.
|
Automatic CVS silently track changes to files, eg: on a file server |
CVS4S | Windows XP-Windows 11, Windows Server 2003/2008/2012/2016/2019/2022 | Available now |
|
CM Suite single server for SVN, CVS and VSTS clients. |
CM Suite 2008 | Windows and SQL Server 2005 | Available now |
|
Case Sensitive NTFS case sensitive files on Windows |
CVSCASE | Windows XP-Windows 11, Windows Server 2003/2008/2012/2016/2019/2022 | Available now |
|
CVS for iSeries version RPG, Fortran and CL in IFS file systems |
CVSISERIESP05 | OS/400 V5R1 to i5/OS 7.1 | Available now |
|
UD6 & UD6 Option Pack Uniface 4GL Source Code Stored in Files |
UD6 | For Uniface 6.1 to Uniface 10.3 (10.4 coming soon) | Available now |
|
Retired products
|
CVS Suite 2.5.03 |
CVS Suite | Windows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5 | Upgrade support to 2009R2. |
CVS Suite x64 | SLES9 | Upgrade support to 2009R2. |
CVS Suite x64 | HPUX and Solaris | Upgrade support to 2008. |
|
CVS Suite 2008 (CVSNT 2.5.03 SP2) build 3226 and later |
CVS Suite | Windows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5 | Support ended December 2012 |
CVS Suite x64 | SLES9 | Support ended December 2012 |
CVS Suite x64 | HPUX (Itanium and PA-RISC) and Solaris (Sparc) | Limited support |
|
Since 1999 we have been supplying solutions to effectively manage change: to documents; to source code in text files, and Uniface projects. Today March Hare Software produce the most popular software tools for versioning in commercial software development and provide professional services worldwide. CVS Suite and CM Suite took only a couple of years to establish thousands of licensees. Every year we continue to maintain thousands of customers and add new licensees.
Sincerely,
The March Hare Team:
Thursday May 9th, 2022
|
|
|
|