Fog Creek Software
Discussion Board




Got an internet accessible CVS setup?

Have you got an internet accessible CVS system? Make sure its been patched. see below:
http://www.theinquirer.org/?article=16524

Peter Ibbotson
Friday, June 11, 2004

Lies!!  Lies!!


Only Windows has security holes!!!  Linux is invulnerable!!

Rammalamma Dingdong
Friday, June 11, 2004

Now here is an idea: why don't we sleuth the whole of bugtraq through this forum. We can have alternating MicroSux, Crapple and OpenSores topic headings depending on the  target platform, and then we can interject meta-discussions on the relative numbers. You know, a kind of Slashdot, but multiplatform.

Just me (Sir to you)
Friday, June 11, 2004

Interesting idea, I posted this 'cos I thought here is one of those places where people might have CVS running at work so they can access from home (or the other way round).
The ideology of security bugs is something quite frankly I don't care about. All systems have them to some extent, and given the batch of viruses which required the user to open a zip file and type in a password to get infected, the cluelessness of the users astounds me.

Peter Ibbotson
Friday, June 11, 2004

Peter,

I appologize for the overreaction.

Just me (Sir to you)
Friday, June 11, 2004

We run NG3 for source control which gives us remote access.

Simon Lucy
Friday, June 11, 2004

Thanks for the heads-up.  I run an anonymous CVS pserver.  It's chrooted, of course, but I'm compiling the upgrade now.

Phillip J. Eby
Friday, June 11, 2004

It's alright. Earlier on when I posted my reply I was nearly ready to go into full on flame mode. Thought better of it, I certainly didn't mean for folks to take this as OSS sucks type thing.
Basically I don't know enough about CVS to be sure if the problem configurations are common.

Peter Ibbotson
Friday, June 11, 2004

For those of you opening your system to the world, strongly consider closing it down and allowing access only via ssh.  That's how I handle it, thereby preventing exposure to the outside world.  Also, I never felt that there was a good reason to trust the security of CVS.

Clay Dowling
Friday, June 11, 2004

Um, interesting spin on it ("Security holes splatter Open Source").  I'm not familiar with them; do they report on security holes in proprietary software as "Securtity holes $(VERB) Proprietary Software"?

X
Friday, June 11, 2004

A hole in CVS is not a hole in Linux. You can choose not to configure CVS when you install most Linux distributions.

Windows by itself does not even include source control.

dssdf
Friday, June 11, 2004

Time to upgrade to subversion?

christopher baus (www.baus.net)
Friday, June 11, 2004

And of course, if you run a CVS server on Windows, you also have the same vulnerability, so Linux has absolutely nothing to do with it in the first place.

At least on a proper OS you can easily run it in a chroot "jail".  Does Windows even *have* a chroot facility?

Phillip J. Eby
Friday, June 11, 2004

I heard about this a few weeks ago but this posting just got me off my butt enough to type:

apt-get update
apt-get upgrade

on my home firewall/server.  All patched up!

Almost Anonymous
Friday, June 11, 2004

FYI, Subversion just had a secuity hole found.  Not sure if it's related to the CVS one.

http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt

Myron A. Semack
Friday, June 11, 2004

Probably not, since the two have no code in common, and very little of the design.  You're about as likely to have the same security hole cropping up on Mac OS and Windows.

X
Friday, June 11, 2004

Well, Mac OS X is based on BSD code, and so is Windows' TCP/IP stack.  So, a BSD TCP/IP bug *could* certainly appear in both Mac OS and Windows.  :)

And, a lot of the same developers who wrote CVS are writing Subversion, so they *could* make the same mistake, if it hadn't already been found and learned from in CVS.

All that being said, I agree it's unlikely to be related, though.  :)

Phillip J. Eby
Saturday, June 12, 2004

*  Recent Topics

*  Fog Creek Home