On Tue, Jan 21, 2003 at 09:36:37AM +1100, Daniel Carosone wrote:
> On Mon, Jan 20, 2003 at 10:58:02PM +0100, hypno@sajberbettan.kennelsonline.net wrote:
> > 
> > http://security.e-matters.de/advisories/012003.html
> > 
> > NetBSD CVS servers secure?
> 
> Yes. We were advised of the issue ahead of release and our servers
> were patched, as were the in-tree sources.  The construction of
> our anoncvs servers is such that they wouldn't have been vulnerable
> to any useful exploit anyway.

Just to be clear about this, you really have to work at it to make your
anoncvs server vulnerable to this problem; your repository sources or
system binaries must be owned by the user the anoncvs server runs as.

Our anoncvs server has never been configured that way.  I have real
trouble understanding how anyone else could so configure theirs; it
seems grossly irresponsible.

Thor