On Wed, Jan 22, 2003 at 12:16:21AM +0900, Tod McQuillin wrote:
>
> Heads up... http://security.e-matters.de/advisories/012003.html
>
> I don't know if FreeBSD is affected but the advisory claims "I was also
> able to create proof of concept code that uses this vulnerability to
> execute arbitrary shell commands on BSD servers".

Hmmm, I don't get this:

The advisory claims that 'This does not apply to :pserver: method only',
but what other method exists where you don't have to have a shell account?
In other words, I have a CVS server where people use :ext: with
CVS_RSH=ssh. How can one compromise this setup without compromising SSH?

Or am I missing other CVS access methods?

--Stijn

-- 
SIGSIG -- signature too long (core dumped)

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+LWYIY3r/tLQmfWcRAhhlAJ4o5QKpB/GeAihJbnXQIeKAnhYtdgCeIk9F asQKxzwoAz+zkh4nf47DSCI= =PhkA -----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]