Mandrake Linux Security Advisory : cvs (MDKSA-2004:028)
Low Nessus Plugin ID 14127
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionSebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user's disk. This problem affects all versions of CVS prior to 1.11.15 which has fixed the problem.
The updated packages provide 1.11.14 with the pertinent fix for the problem.
SolutionUpdate the affected cvs package.