On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet
55 TalkBacks

By Robert Lemos
Posted on ZDNet News: Jun 9, 2004 9:36:00 PM

Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development.


Get Up to Speed on...
Open source
Get the latest headlines and
company-specific news in our
expanded GUTS section.

According to a representative of the project that oversees the program, known as the Concurrent Versions System, the vulnerabilities include a flaw that could let an attacker take control of a CVS server from the Internet, putting the code repository's contents at risk. The flaws were discovered as part of an analysis of the program's code following the announcement last month of a similar set of issues.

The security flaws underscore the advice of CVS Project leaders, who say development teams should not be placing source-code repositories directly on the Internet. Rather, the repositories should be accessible only on private local networks or through VPNs (virtual private networks), said Derek Robert Price, one of three maintainers of the CVS Project and the project's release manager.

"We have always said that CVS is not secure," he said. "We have never made any quibbles about that."

Major open-source projects, including the Apache Foundation's Apache Web server and the GNOME and KDE Linux desktops, use the Concurrent Versions System to manage code under development. The software allows programmers to check in changed code, and it tracks the different versions of a program under development.

The major projects using the program were notified of the issues May 28. On Wednesday, the security holes were publicly announced.

The majority of the issues were found by two researchers who vetted the source code after the patch for previous flaws was released in May. One of the researchers, Stefan Esser, also found the previous security holes. The issue became even more serious when an online vandal apparently used the former vulnerabilities to gain access to the CVS Project's server and send an e-mail that said he had gained access. The project has retired that server and plans to analyze its files for evidence of the attack, Price said.

The project has already issued a software update to patch the issue, as has Linux seller SuSE. Other Linux distributions that include the software are expected to release updates this week.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 55 Talkback(s)
I would agree except...
On the one hand they claim it was never meant for the Internet yet when you go to their web site they say it is. Even worse, there is a huge notice that their site is being cleaned because they may have been exploited. This type of doubletalk and your conclusion are both ridiculous.... (Read the rest)
Posted by: ShadeTree Posted on: 06/11/04 You are currently: a Guest | | Terms of Use
Exceeding expectations  Martin Marvinski | 06/09/04
You sound a bit defensive  mojoman_x@... | 06/09/04
What?!  Jeff Spicoli | 06/09/04
crimes  richhayes | 06/10/04
crimes  georgep_z | 06/10/04
Ummm.... ?  Martin Marvinski | 06/09/04
Way to spin the story.  ShadeTree | 06/10/04
But what you forget to mention.  nucrash | 06/10/04
What in the world....  ShadeTree | 06/10/04
Simple  nucrash | 06/10/04
So in response....  ShadeTree | 06/10/04
Why respond to your post?  Martin Marvinski | 06/10/04
Thanks for adding to the FUD  rock06r | 06/10/04
Whats a "M$ shills"  Da-Man | 06/10/04
No it is definitely Shill  ShadeTree | 06/10/04
Nice spin...  Martin Marvinski | 06/10/04
I would agree except...  ShadeTree | 06/11/04
From the home page of the CVS Project site.  ShadeTree | 06/10/04
seems like  doh123 | 06/10/04
If you have access....  ShadeTree | 06/10/04
Code on CVS has official maintainer(s)  Michael Kelly | 06/10/04
Only official maintainers are supposed...  ShadeTree | 06/10/04
Internet ?? WWW  Michael Kelly | 06/10/04
I have confused nothing  ShadeTree | 06/10/04
From the CVS Project web site  ShadeTree | 06/10/04
RE: From the CVS Project web site  Michael Kelly | 06/10/04
Obviously the CVS site must not be secure.  ShadeTree | 06/10/04
More proof open source works.. and quickly!  Xunil_Sierutuf | 06/09/04
Uh huh  wolf_z | 06/10/04
wolf: Don't reply to this SHRILL above  Da-Man | 06/10/04
Do you even know what the term refers to?  rock06r | 06/10/04
Alternatives?  doe_z | 06/09/04
CVS alternatives  Chris Moller | 06/10/04
(NT)The VPN method is a good idea  toadlife | 06/09/04
More flaws foul security of open-source repository  Loverock Davidson | 06/10/04
Loverock's pick  dwest_z | 06/10/04
How sweet!  Loverock Davidson | 06/10/04
linux what?  ryusen | 06/10/04
If they could just deliver a secure OS without bugs.  No_Ax_to_Grind | 06/10/04
Yeah, Zealots are like flaws  nucrash | 06/10/04
Touch?  Michael Kelly | 06/10/04
Meh,  nucrash | 06/10/04
Good idea, just wrong phrase  rock06r | 06/10/04
OS? what?  doh123 | 06/10/04
Still it's a security flaw that could breach OS code  Michael Kelly | 06/10/04
If they could just deliver a secure OS without bugs.  Loverock Davidson | 06/10/04
Close the door on 'free' non-professional software  Andreas_Gruenbaum | 06/10/04
Bigger priorities  Michael Kelly | 06/10/04
This problem is being addressed in SP2.(nt)  ShadeTree | 06/10/04
Good. I wish them luck. (nt)  Michael Kelly | 06/10/04
Check out: http://www.ghs.com  Da-Man | 06/10/04
Just a clue...  Linux User 147560 | 06/10/04
Should be: Close the door on non-professional software.  doe_z | 06/10/04
Zdnet, you're posters have warned you about  FilledOut | 06/10/04
There's always SecurID ...  George Mitchell | 06/10/04

What do you think?

advertisement
advertisement
Click Here

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here