Thread: [WEBMASTER] 'www/html/devel-corner index.html'
Update of /home/projects/pgsql/cvsroot/www/html/devel-corner
In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner
Modified Files:
index.html
Log Message:
Updated cvsweb
* Vince Vielhaber <vev@hub.org> [000925 07:50] wrote: > Update of /home/projects/pgsql/cvsroot/www/html/devel-corner > In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner > > Modified Files: > index.html > Log Message: > > Updated cvsweb I haven't checked, but you guys are aware of the cvsweb vulnerability that was posted a couple of weeks ago right? -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk."
On Mon, 25 Sep 2000, Alfred Perlstein wrote: > * Vince Vielhaber <vev@hub.org> [000925 07:50] wrote: > > Update of /home/projects/pgsql/cvsroot/www/html/devel-corner > > In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner > > > > Modified Files: > > index.html > > Log Message: > > > > Updated cvsweb > > I haven't checked, but you guys are aware of the cvsweb vulnerability > that was posted a couple of weeks ago right? I missed that one. Do you recall any details? Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================
* Vince Vielhaber <vev@michvhf.com> [000925 11:55] wrote: > On Mon, 25 Sep 2000, Alfred Perlstein wrote: > > > * Vince Vielhaber <vev@hub.org> [000925 07:50] wrote: > > > Update of /home/projects/pgsql/cvsroot/www/html/devel-corner > > > In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner > > > > > > Modified Files: > > > index.html > > > Log Message: > > > > > > Updated cvsweb > > > > I haven't checked, but you guys are aware of the cvsweb vulnerability > > that was posted a couple of weeks ago right? > > I missed that one. Do you recall any details? It's on security focus: Cvsweb 1.80 makes an insecure call to the perl OPEN function, providing attackers with write access to a cvs repository the ability to execute arbitrary commands on the host machine. The code that is being exploited here is the following: open($fh, "rlog '$filenames' 2>/dev/null |") Do you guys have a private developers' list that doesn't get broadcast back out that I can use if anything like this pops up in the future? Actually, now that I've looked at it you guys seem to be using 1.93 a bit newer than the vulnerable version. Sorry for the scare but you may want to double check. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk."
On Mon, 25 Sep 2000, Alfred Perlstein wrote: > Do you guys have a private developers' list that doesn't get broadcast > back out that I can use if anything like this pops up in the future? Send it to webmaster@postgresql.org > > Actually, now that I've looked at it you guys seem to be using 1.93 > a bit newer than the vulnerable version. > > Sorry for the scare but you may want to double check. Glad you did. I never even saw that one go by. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================
Alfred Perlstein <bright@wintelcom.net> writes:
> It's on security focus:
> Cvsweb 1.80 makes an insecure call to the
> perl OPEN function, providing attackers with
> write access to a cvs repository the ability to
^^^^^^^^^^^^
> execute arbitrary commands on the host
> machine. The code that is being exploited
> here is the following: open($fh, "rlog
> '$filenames' 2>/dev/null |")
> Actually, now that I've looked at it you guys seem to be using 1.93
> a bit newer than the vulnerable version.
Since we don't hand out cvs write access very freely, this doesn't seem
like a big problem. Still, it might be a good idea to actually remove
the old version of cvsweb (cvswebtest) rather than just not have it
linked to anymore ...
> Do you guys have a private developers' list that doesn't get broadcast
> back out that I can use if anything like this pops up in the future?
You can send security concerns to pgsql-core@postgreSQL.org --- the core
list isn't publicly readable (or even archived anywhere, AFAIK).
regards, tom lane
On Mon, 25 Sep 2000, Tom Lane wrote: > Alfred Perlstein <bright@wintelcom.net> writes: > > It's on security focus: > > > Cvsweb 1.80 makes an insecure call to the > > perl OPEN function, providing attackers with > > write access to a cvs repository the ability to > ^^^^^^^^^^^^ > > execute arbitrary commands on the host > > machine. The code that is being exploited > > here is the following: open($fh, "rlog > > '$filenames' 2>/dev/null |") > > > Actually, now that I've looked at it you guys seem to be using 1.93 > > a bit newer than the vulnerable version. > > Since we don't hand out cvs write access very freely, this doesn't seem > like a big problem. Still, it might be a good idea to actually remove > the old version of cvsweb (cvswebtest) rather than just not have it > linked to anymore ... Done. > > > > Do you guys have a private developers' list that doesn't get broadcast > > back out that I can use if anything like this pops up in the future? > > You can send security concerns to pgsql-core@postgreSQL.org --- the core > list isn't publicly readable (or even archived anywhere, AFAIK). > > regards, tom lane > -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================