On Mon, 25 Sep 2000, Tom Lane wrote:
> Alfred Perlstein <bright@wintelcom.net> writes:
> > It's on security focus:
>
> > Cvsweb 1.80 makes an insecure call to the
> > perl OPEN function, providing attackers with
> > write access to a cvs repository the ability to
> ^^^^^^^^^^^^
> > execute arbitrary commands on the host
> > machine. The code that is being exploited
> > here is the following: open($fh, "rlog
> > '$filenames' 2>/dev/null |")
>
> > Actually, now that I've looked at it you guys seem to be using 1.93
> > a bit newer than the vulnerable version.
>
> Since we don't hand out cvs write access very freely, this doesn't seem
> like a big problem. Still, it might be a good idea to actually remove
> the old version of cvsweb (cvswebtest) rather than just not have it
> linked to anymore ...
Done.
>
>
> > Do you guys have a private developers' list that doesn't get broadcast
> > back out that I can use if anything like this pops up in the future?
>
> You can send security concerns to pgsql-core@postgreSQL.org --- the core
> list isn't publicly readable (or even archived anywhere, AFAIK).
>
> regards, tom lane
>
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================