This update for cvs fixes the following issues :

  - CVE-2017-12836: A leading dash in the argument of the     '-d' option could lead to argument injection     (bsc#1053364)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This relase fixes CVE-2017-12836 vulerbaility (command injection via malicious SSH URL).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the cvs package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - CVS 1.12.x, when configured to use SSH for remote     repositories, might allow remote attackers to execute     arbitrary code via a repository URL with a crafted     hostname, as demonstrated by     '-oProxyCommand=idlocalhost:/bar.'(CVE-2017-12836)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for cvs fixes the following issues :

  - CVE-2017-12836: A leading dash in the argument of the     '-d' option could lead to argument injection     (bsc#1053364) This update was imported from the     SUSE:SLE-12:Update update project.

The remote host is affected by the vulnerability described in GLSA-201709-17 (CVS: Command injection)

    It was discovered that when CVS is configured to use SSH for remote       repositories it allows remote attackers to execute arbitrary code through       a repository URL with a specially crafted hostname.
  Impact :

    A remote attacker, by enticing a user to clone a specially crafted       repository, could possibly execute arbitrary code with the privileges of       the process.
  Workaround :

    There is no known workaround at this time.

It was discovered that there was a command injection vulnerability in the CVS revision control system.

For Debian 7 'Wheezy', this issue has been fixed in cvs version 2:1.12.13+real-9+deb7u1.

We recommend that you upgrade your cvs packages. Thanks to Thorsten Glaser <tg@mirbsd.de> for preparing and testing this upload.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hank Leininger discovered that cvs did not properly handle SSH for remote repositories. A remote attacker could use this to construct a cvs repository that when accessed could run arbitrary code with the privileges of the user.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the cvs package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  - CVS 1.12.x, when configured to use SSH for remote     repositories, might allow remote attackers to execute     arbitrary code via a repository URL with a crafted     hostname, as demonstrated by     '-oProxyCommand=idlocalhost:/bar.'(CVE-2017-12836)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command.

Hank Leininger reports :

Bugs in Git, Subversion, and Mercurial were just announced and patched which allowed arbitrary local command execution if a malicious name was used for the remote server, such as starting with - to pass options to the ssh client : git clone ssh://-oProxyCommand=some-command... CVS has a similar problem with the -d option :

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.

ID	Name	Product	Family	Published	Updated	Severity
103178	SUSE SLES11 Security Update : cvs (SUSE-SU-2017:2422-1)	Nessus	SuSE Local Security Checks	9/13/2017	1/19/2021	high
102831	Fedora 26 : cvs (2017-e5a78c5ca9)	Nessus	Fedora Local Security Checks	8/30/2017	1/6/2021	high
102829	Fedora 25 : cvs (2017-97eb475d93)	Nessus	Fedora Local Security Checks	8/30/2017	1/6/2021	high
140895	EulerOS 2.0 SP3 : cvs (EulerOS-SA-2020-2128)	Nessus	Huawei Local Security Checks	9/28/2020	2/19/2024	high
103285	openSUSE Security Update : cvs (openSUSE-2017-1060)	Nessus	SuSE Local Security Checks	9/18/2017	1/19/2021	high
142082	EulerOS 2.0 SP5 : cvs (EulerOS-SA-2020-2280)	Nessus	Huawei Local Security Checks	10/30/2020	2/13/2024	high
103445	GLSA-201709-17 : CVS: Command injection	Nessus	Gentoo Local Security Checks	9/25/2017	1/11/2021	high
102441	Debian DLA-1056-1 : cvs security update	Nessus	Debian Local Security Checks	8/14/2017	1/11/2021	high
102680	Ubuntu 14.04 LTS / 16.04 LTS : cvs vulnerability (USN-3399-1)	Nessus	Ubuntu Local Security Checks	8/22/2017	10/20/2023	high
147507	EulerOS Virtualization 3.0.6.6 : cvs (EulerOS-SA-2021-1467)	Nessus	Huawei Local Security Checks	3/10/2021	1/11/2024	high
102447	Debian DSA-3940-1 : cvs - security update	Nessus	Debian Local Security Checks	8/14/2017	1/4/2021	high
103176	SUSE SLED12 / SLES12 Security Update : cvs (SUSE-SU-2017:2419-1)	Nessus	SuSE Local Security Checks	9/13/2017	1/6/2021	high
106996	FreeBSD : cvs -- Remote code execution via ssh command injection (d9fe59ea-1940-11e8-9eb8-5404a68ad561)	Nessus	FreeBSD Local Security Checks	2/26/2018	11/10/2018	high
142237	EulerOS 2.0 SP2 : cvs (EulerOS-SA-2020-2338)	Nessus	Huawei Local Security Checks	11/3/2020	2/12/2024	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

high

high

high

high