OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: cvs security problem
From: Greg A. Woods (woodsWEIRD.COM)
Date: Tue Aug 01 2000 - 16:58:21 CDT

[ On Monday, July 31, 2000 at 08:12:03 (+0200), samaAGLORIOSO.COM wrote: ]
> Subject: Re: cvs security problem
>
> Although I don't think it addresses this very problem, you might be
> interested in CVS-nserver (http://alexm.here.ru/cvs-nserver/), a
> rewrite of CVS to make it more modular and secure. I still haven't
> tried it myself, though.

CVS-nserver does not necessarily address the fundamental design issue.

It can be run against the system /etc/passwd or PAM configuration, in
which case it is no different in authorisation terms than SSH (or RSH),
but in the case where it offers "virtual repositories" it repeats the
same fundamental mistake the original cvspserver does and is equally
vulnerable to some types of attacks.

Although CVS-nserver promises SSL support in the future, it is also in
the mean time vulnerable to man-in-the-middle attacks, meaning that even
in non-anonymous configurations it can potentially be subverted into
offering trojaned code, or whatever.

The realy simple solution to all this nonsense is to use CVS *only*
through an already secure transport (such as SSH or stunnel or IPsec),
in which case nothing need be changed in CVS itself (except for the
removal of the cvspserver junk! ;-) 

--
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsacm.org>      <robohack!woods>
Planix, Inc. <woodsplanix.com>; Secrets of the Weird <woodsweird.com>