Joined: 12 May 2004
|Posted: Sun Sep 24, 2017 6:26 pm Post subject: [ GLSA 201709-17 ] cvs
|Gentoo Linux Security Advisory
Title: CVS: Command injection (GLSA 201709-17)
A command injection vulnerability in CVS may allow remote attackers
to execute arbitrary code.
CVS (Concurrent Versions System) is an open-source network-transparent
version control system. It contains both a client utility and a server.
Vulnerable: < 1.12.12-r12
Unaffected: >= 1.12.12-r12
Architectures: All supported architectures
It was discovered that when CVS is configured to use SSH for remote
repositories it allows remote attackers to execute arbitrary code through
a repository URL with a specially crafted hostname.
A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges of
There is no known workaround at this time.
All CVS users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/cvs-1.12.12-r12"