GLSA-200404-13 : CVS Server and Client Vulnerabilities

This script is Copyright (C) 2004-2015 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200404-13
(CVS Server and Client Vulnerabilities)

There are two vulnerabilities in CVS
one in the server and one in the
client. The server vulnerability allows a malicious client to request
the contents of any RCS file to which the server has permission, even
those not located under $CVSROOT. The client vulnerability allows a
malicious server to overwrite files on the client machine anywhere the
client has permissions.

Impact :

Arbitrary files may be read or written on CVS clients and servers by
anybody with access to the CVS tree.

Workaround :

There is no known workaround at this time. All users are encouraged to
upgrade to the latest stable version of CVS.

See also :

Solution :

All CVS users should upgrade to the latest stable version.
# emerge sync
# emerge -pv '>=dev-util/cvs-1.11.15'
# emerge '>=dev-util/cvs-1.11.15'

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14478 (gentoo_GLSA-200404-13.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0180