Subject: Re: CVS Vulnerability
To: None <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 01/21/2003 07:37:19
On Tue, Jan 21, 2003 at 09:36:37AM +1100, Daniel Carosone wrote:
> On Mon, Jan 20, 2003 at 10:58:02PM +0100, firstname.lastname@example.org wrote:
> > http://security.e-matters.de/advisories/012003.html
> > NetBSD CVS servers secure?
> Yes. We were advised of the issue ahead of release and our servers
> were patched, as were the in-tree sources. The construction of
> our anoncvs servers is such that they wouldn't have been vulnerable
> to any useful exploit anyway.
Just to be clear about this, you really have to work at it to make your
anoncvs server vulnerable to this problem; your repository sources or
system binaries must be owned by the user the anoncvs server runs as.
Our anoncvs server has never been configured that way. I have real
trouble understanding how anyone else could so configure theirs; it
seems grossly irresponsible.