This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.
The remote Red Hat host is missing a security update.
Updated CVS packages are now available for Red Hat Linux Advanced
Server. These updates fix a vulnerability which would permit arbitrary
command execution on servers configured to allow anonymous read-only
[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access,
this bug could be used by anonymous users to gain write privileges.
Users with CVS write privileges can then use the Update-prog and
Checkin-prog features to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to these packages which
contain patches to correct the double-free bug.
Our thanks go to Stefan Esser of e-matters for reporting this issue to
See also :
Update the affected cvs package.
Risk factor :
High / CVSS Base Score : 7.5
Public Exploit Available : true
Family: Red Hat Local Security Checks
Nessus Plugin ID: 12351 ()
CVE ID: CVE-2003-0015