Subject: Re: CVS Vulnerability
To: None <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 01/21/2003 07:37:19
On Tue, Jan 21, 2003 at 09:36:37AM +1100, Daniel Carosone wrote:
> On Mon, Jan 20, 2003 at 10:58:02PM +0100, wrote:
> > 
> >
> > 
> > NetBSD CVS servers secure?
> Yes. We were advised of the issue ahead of release and our servers
> were patched, as were the in-tree sources.  The construction of
> our anoncvs servers is such that they wouldn't have been vulnerable
> to any useful exploit anyway.

Just to be clear about this, you really have to work at it to make your
anoncvs server vulnerable to this problem; your repository sources or
system binaries must be owned by the user the anoncvs server runs as.

Our anoncvs server has never been configured that way.  I have real
trouble understanding how anyone else could so configure theirs; it
seems grossly irresponsible.