From nobody@FreeBSD.org  Thu Sep 30 15:26:36 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D39FB16A4CF
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 15:26:36 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A821243D5E
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 15:26:36 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i8UFQakI084935
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 15:26:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i8UFQaKL084931;
	Thu, 30 Sep 2004 15:26:36 GMT
	(envelope-from nobody)
Message-Id: <200409301526.i8UFQaKL084931@www.freebsd.org>
Date: Thu, 30 Sep 2004 15:26:36 GMT
From: Kero-Chan <kerochan2@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: portaudit warns about the CVS server vulnerability which has already been fixed.
X-Send-Pr-Version: www-2.3

>Number:         72202
>Category:       ports
>Synopsis:       ports-mgmt/portaudit warns about the CVS server vulnerability which has already been fixed.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 30 15:30:16 GMT 2004
>Closed-Date:    
>Last-Modified:  Mon Jun 03 13:52:29 UTC 2013
>Originator:     Kero-Chan
>Release:        5.2.1-RELEASE-p10
>Organization:
>Environment:
FreeBSD 5.2.1-RELEASE-p10
>Description:
      portaudit warns about an already fixed vulnerability. See theese threads:
http://lists.freebsd.org/pipermail/freebsd-audit/2004-September/000072.html
http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002289.html

>How-To-Repeat:
      portaudit -Fa
>Fix:
      
>Release-Note:
>Audit-Trail:

From: <kerochan2@gmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed.
Date: Tue,  5 Oct 2004 14:32:33 +0000 (GMT)

 Should this be this way?:
 
 --------------------------------------------------8<----------
 
 dxlvi ~# date
 Tue Oct  5 16:04:57 CEST 2004
 dxlvi ~# uname -a
 FreeBSD dxlvi.chello.hu 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Tue Oct  5 10:52:20 CEST 2004     root@dxlvi.chello.hu:/usr/obj/usr/src/sys/DXLVI  i386
 dxlvi ~# cvs --version
 
 Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server)
 
 Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn,
                         Jeff Polk, and other authors
 
 CVS may be copied only under the terms of the GNU General Public License,
 a copy of which can be found with the CVS distribution kit.
 
 Specify the --help option for further information about CVS
 dxlvi ~# portaudit -Fa
 Receiving auditfile.tbz (12646 bytes): 100%
 12646 bytes transferred in 0.7 seconds (17.65 kBps)
 New database installed.
 Affected package: FreeBSD-502010
 Type of problem: multiple vulnerabilities in the cvs server code.
 Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html>
 Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf
 
 0 problem(s) in your installed packages found.
 
 --------------------------------------------------8<----------
 
 From http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html:
 
 References:
 
      * CVE name CAN-2004-0414
      * CVE name CAN-2004-0416
      * CVE name CAN-2004-0417
      * CVE name CAN-2004-0418
      * CVE name CAN-2004-0778
 [...]
 Affects:
 
      * cvs+ipv6 <1.11.17
      * FreeBSD <491101
      * FreeBSD >=500000 <502114
 
 --------------------------------------------------8<----------
 
 From ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc:
 
 Topic:          CVS
 
 Category:       contrib
 Module:         cvs
 Announced:      2004-09-19
 Credits:        Stefan Esser, Sebastian Krahmer, Derek Price
                 iDEFENSE
 Affects:        All FreeBSD versions
 Corrected:      2004-06-29 16:10:50 UTC (RELENG_4)
                 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
                 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
                 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
                 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
 CVE Name:       CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
                 CAN-2004-0778
 
 --------------------------------------------------8<----------
 
 So, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 and CAN-2004-0778 are:
  * Fixed in 5.2.1-RELEASE-p10
  * Reported as unfixed on an 5.2.1-RELEASE-p11 system
  * Reportes as fixed in "502114" (?) in the URL portaudit gives
  * Reported by portaudit as affecting "502010"
 
 Hope it helps...
 <kerochan2@gmail.com>
Responsible-Changed-From-To: freebsd-bugs->eik 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Oct 10 05:28:16 GMT 2004 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72202 

From: Yar Tikhiy <yar@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, eik@FreeBSD.org
Cc:  
Subject: Re: ports/72202: portaudit warns about the CVS server vulnerability which has already been fixed.
Date: Sat, 30 Oct 2004 17:05:37 +0400

 I'd like to add to the audit trail that this problem affects 4.x
 versions, too.  In particular, portaudit tells the following on
 my 4.10-RELEASE-p3 system:
 
 	Affected package: FreeBSD-491000
 	Type of problem: multiple vulnerabilities in the cvs server code.
 	Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html>
 	Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf
 
 I hope this can help to spot the problem.
 
 -- 
 Yar
Responsible-Changed-From-To: eik->simon 
Responsible-Changed-By: simon 
Responsible-Changed-When: Tue Jun 14 22:05:14 GMT 2005 
Responsible-Changed-Why:  
Grap portaudit PR with new portaudit maintainer hat. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72202 
State-Changed-From-To: open->suspended 
State-Changed-By: simon 
State-Changed-When: Sat Jul 30 14:47:44 GMT 2005 
State-Changed-Why:  
To make this functionality really work we need a better versioning of 
security updates, which the Security Team is looking at.  Untill that 
is resolved portaudit can't really do that much useful wrt. the base 
system vulnerabilities, so suspend the PR for now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72202 
Responsible-Changed-From-To: simon->freebsd-bugs 
Responsible-Changed-By: simon 
Responsible-Changed-When: Mon Jun 3 13:52:16 UTC 2013 
Responsible-Changed-Why:  
Send PRs which I'm unlikely to look at back to the pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72202 
>Unformatted:
