Notified: January 21, 2003 Updated: August 20, 2003
Affected
Apple: Not Vulnerable. The underlying code in Mac OS X is not susceptible to the vulnerability described in this notice.
The vendor has not provided us with any further information regarding this vulnerability.
Based on source code analysis, cvs-29 from the Darwin Projects Directory appears to be vulnerable. However, the Apple OS X malloc(3) implementation (phkmalloc) may safely handle the double-free condition. If malloc(3) is configured such that all warnings are fatal ("A" option), the impact of this vulnerability on Darwin cvs-29 may be limited to a denial of service. Darwin cvs-29 may not be the same cvs code that is shipped with the Apple OS X Developer Tools package.
Notified: January 21, 2003 Updated: January 21, 2003
Affected
Conectiva Linux is affected by this issue and updated packages are available at ftp://atualizacoes.conectiva.com.br/: 6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm 6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm 6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm 7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm 7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm 7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm 8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm 8/RPMS/cvs-1.11-9U80_2cl.i386.rpm 8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm An official announcement is pending and will show up in our updates website at http://distro.conectiva.com.br/atualizacoes?idioma=en shortly.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 21, 2003
Affected
Cray Inc. supports CVS through their Cray Open Software (COS) package. COS 3.3 and earlier is vulnerable. A new CVS will be available shortly. Please contact your local Cray service representative if you need this new package.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: January 22, 2003
Affected
CVS release 1.11.5 addresses this issue for CVS servers. CVS clients are not affected.
The vendor has not provided us with any further information regarding this vulnerability.
Updated: February 14, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
According to the sordid history of CVSNT, this issue was addressed in CVSNT 1.11.1.3-68:
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 22, 2003
Affected
Debian has updated their distribution with DSA 233. http://www.debian.org/security/2003/dsa-233 For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1. For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2. For the unstable distribution (sid) this problem will be fixed soon.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 04, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: February 03, 2003
Not Affected
Fujitsu's UXP/V o.s. is not vulnerable to the problem reported in VU#650937 because it does not support CVS server.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 03, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 14, 2003
Unknown
SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company RE: x-reference SSRT3463 Not Vulnerable: HP-UX HP-MPE/ix HP Tru64 UNIX HP NonStop Servers HP OpenVMS To report any security issue for any HP software products send email to security-alert@hp.com
The vendor has not provided us with any further information regarding this vulnerability.
HP Secure OS Software for Linux may be affected.
Notified: January 21, 2003 Updated: February 04, 2003
Not Affected
GR2000 router does not contain any parts of the CVS. Therefore, it is not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 22, 2003
Affected
The AIX operating system does not ship with CVS. However, CVS is available for installation on AIX from the Linux Affinity Toolbox. CVS versions 1.11.1p1-2 and earlier are vulnerable to the issues discussed in CERT Vulnerability Note VU#650937 and any advisories which follow. Users are advised to download CVS 1.11.1p1-3 from: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/cvs/ cvs-1.11.1p1-3.aix4.3.ppc.rpm Please note that the above address was wrapped to two lines. CVS 1.11.1p1-3 contains the security fixes made in CVS 1.11.5 to address these issues. This software is offered on an "as-is" basis.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 14, 2003
Not Affected
Ingrian Networks platforms are not vulnerable to VU#650937.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 21, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 04, 2003
Not Affected
Subject: VU650937 sent on January 23, 2003 [Server Products] EWS/UP 48 Series operating system - is NOT vulnerable, which does not include CVS.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 04, 2003
Affected
The NetBSD project's CVS servers are constructed such that this issue exposed no vulnerability. Nevertheless the fix was applied, and incorporated into the in-tree version of CVS for the benefit of NetBSD users who may be offering their own CVS services.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: April 04, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Updated: February 03, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: February 04, 2003
Not Affected
We don't yet re-distribute CVS in Openwall GNU/*/Linux. We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: February 03, 2003
Affected
Red Hat Linux and Red Hat Linux Advanced Server shipped with a cvs package vulnerable to these issues. New cvs packages are now available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux Advanced Server: http://rhn.redhat.com/errata/RHSA-2003-013.html Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-012.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 03, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: August 19, 2003
Affected
Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD: http://wwws.sun.com/software/solaris/freeware/index.html as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home. Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue. Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from: http://sunsolve.Sun.COM
The vendor has not provided us with any further information regarding this vulnerability.
Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable:
Notified: January 21, 2003 Updated: February 14, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: February 03, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: January 21, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: January 21, 2003 Updated: April 08, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.