From nobody@FreeBSD.org  Mon Feb  2 04:26:24 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2224A16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Feb 2004 04:26:24 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4544743D2D
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Feb 2004 04:26:23 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i12CQMdL030252
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 2 Feb 2004 04:26:22 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i12CQMfs030251;
	Mon, 2 Feb 2004 04:26:22 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200402021226.i12CQMfs030251@www.freebsd.org>
Date: Mon, 2 Feb 2004 04:26:22 -0800 (PST)
From: Jacques Marneweck <jacques@ataris.co.za>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 2003-12-18: Stable CVS Version 1.11.11 Released! (security update)
X-Send-Pr-Version: www-2.0

>Number:         62255
>Category:       bin
>Synopsis:       2003-12-18: Stable CVS Version 1.11.11 Released! (security update)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    peter
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 02 04:30:20 PST 2004
>Closed-Date:    Fri Oct 06 04:49:13 GMT 2006
>Last-Modified:  Fri Oct 06 04:49:13 GMT 2006
>Originator:     Jacques Marneweck
>Release:        4.9-STABLE
>Organization:
Ataris Technologies
>Environment:
FreeBSD XXXXX.YYYYYYY.co.za 4.9-STABLE FreeBSD 4.9-STABLE #1: Mon Feb  2 01:26:27 SAST 2004     ZZZZZ@XXXXX.YYYYY.co.za:/usr/obj/usr/src/sys/XXXXXX  i386
>Description:
Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers!

Take a look at the NEWS file from the source distribution or go directly to the downloads page.
>How-To-Repeat:
      
>Fix:
Update the version of cvs in /usr/src/contrib/cvs
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->peter 
Responsible-Changed-By: cperciva 
Responsible-Changed-When: Sun Feb 15 20:43:38 PST 2004 
Responsible-Changed-Why:  
Assign to Mr. CVS 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62255 
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Fri Oct 6 04:48:35 UTC 2006 
State-Changed-Why:  
The current CVS available from base system is now 1.11.17 so 
I think this can be closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62255 
>Unformatted:
