Bug 62255

Summary: 2003-12-18: Stable CVS Version 1.11.11 Released! (security update)
Product: Base System Reporter: Jacques Marneweck <jacques>
Component: binAssignee: Peter Wemm <peter>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.9-STABLE   
Hardware: Any   
OS: Any   

Description Jacques Marneweck 2004-02-02 12:30:20 UTC 
Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers!

Take a look at the NEWS file from the source distribution or go directly to the downloads page.

Fix: 

Update the version of cvs in /usr/src/contrib/cvs
Comment 1 Colin Percival freebsd_committer freebsd_triage 2004-02-16 04:43:38 UTC 
Responsible Changed
From-To: freebsd-bugs->peter

Assign to Mr. CVS
Comment 2 Xin LI freebsd_committer freebsd_triage 2006-10-06 05:48:35 UTC 
State Changed
From-To: open->closed

The current CVS available from base system is now 1.11.17 so 
I think this can be closed.