diff options
author | peter <peter@FreeBSD.org> | 2004-06-10 19:05:38 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 2004-06-10 19:05:38 +0000 |
commit | 8416bda1d23bda4666a5b880a9d78eccaa640036 (patch) | |
tree | 7d97944b58f1e30ab542f9c3d6720b69314cec4d /contrib/cvs/NEWS | |
parent | 3d101ef985844544d089e129157a94a0640fd246 (diff) | |
download | FreeBSD-src-8416bda1d23bda4666a5b880a9d78eccaa640036.zip FreeBSD-src-8416bda1d23bda4666a5b880a9d78eccaa640036.tar.gz |
Import cvs-1.11.17 onto vendor branch.
Diffstat (limited to 'contrib/cvs/NEWS')
-rw-r--r-- | contrib/cvs/NEWS | 50 |
1 files changed, 47 insertions, 3 deletions
diff --git a/contrib/cvs/NEWS b/contrib/cvs/NEWS index a86d0a1..bca44f8 100644 --- a/contrib/cvs/NEWS +++ b/contrib/cvs/NEWS @@ -1,18 +1,62 @@ -Changes since 1.11.14: +Changes since 1.11.16: ********************** +SERVER SECURITY FIXES + +* Thanks to Stefan Esser & Sebastian Krahmer, several potential security + problems have been fixed. The ones which were considered dangerous enough + to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, & + CAN-2004-0418 by the Common Vulnerabilities and Exposures Project. Please + see <http://www.cve.mitre.org> for more information. + +* A potential buffer overflow vulnerability in the server has been fixed. + This addresses the Common Vulnerabilities and Exposures Project's issue + #CAN-2004-0414. Please see <http://www.cve.mitre.org> for more information. + +Changes from 1.11.15 to 1.11.16: +******************************** + +SERVER SECURITY FIXES + +* A potential buffer overflow vulnerability in the server has been fixed. + Prior to this patch, a malicious client could potentially use carefully + crafted server requests to run arbitrary programs on the CVS server machine. + This addresses the Common Vulnerabilities and Exposures Project's issue + #CAN-2004-0396. Please see <http://www.cve.mitre.org> for more information. + +BUG FIXES + +* The Microsoft Visual C++ workspace and project files have been repaired and + regenerated with MSVC++ 6.0. + +* The cvs.1 man page is now generated automatically from a section of the CVS + Manual. + +* Thanks to a report from Mark Andrews at the Internet Systems Consortium, the + :ext: connection method no longer relies on a transparent transport that uses + an argument processor that can handle arbitrary ordering of options and other + arguments when using a username other than the caller's. + +* Thanks to Ken Raeburn at MIT, directory deletion, whether via `cvs release' + or empty directory pruning, now works on network shares under Windows XP. + +Changes from 1.11.14 to 1.11.15: +******************************** + SERVER SECURITY ISSUES * Piped checkouts of paths above $CVSROOT no longer work. Previously, clients could have requested the contents of RCS archive files anywhere on a CVS - server. + server. This addresses CVE issue CAN-2004-0405. Please see + <http://www.cve.mitre.org> for more information. CLIENT SECURITY ISSUES * Clients now check paths from the server to verify that they are within one of the sandboxes the user requested be updated. Previously, a trojan server could have written or overwritten files anywhere the user had access, - presenting a serious security risk. + presenting a serious security risk. This addresses CVE issue CAN-2004-1080. + Please see <http://www.cve.mitre.org> for more information. GENERAL USER ISSUES |