Re: [WEBMASTER] 'www/html/devel-corner index.html'

* Vince Vielhaber <vev@michvhf.com> [000925 11:55] wrote:
> On Mon, 25 Sep 2000, Alfred Perlstein wrote:
>
> > * Vince Vielhaber <vev@hub.org> [000925 07:50] wrote:
> > > Update of /home/projects/pgsql/cvsroot/www/html/devel-corner
> > > In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner
> > >
> > > Modified Files:
> > >     index.html
> > > Log Message:
> > >
> > > Updated cvsweb
> >
> > I haven't checked, but you guys are aware of the cvsweb vulnerability
> > that was posted a couple of weeks ago right?
>
> I missed that one.  Do you recall any details?

It's on security focus:

Cvsweb 1.80 makes an insecure call to the
 perl OPEN function, providing attackers with
 write access to a cvs repository the ability to
 execute arbitrary commands on the host
 machine. The code that is being exploited
 here is the following: open($fh, "rlog
 '$filenames' 2>/dev/null |")

Do you guys have a private developers' list that doesn't get broadcast
back out that I can use if anything like this pops up in the future?

Actually, now that I've looked at it you guys seem to be using 1.93
a bit newer than the vulnerable version.

Sorry for the scare but you may want to double check.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."