Read about the latest developments
in security every month in Security Watch
Bug in CVS Server
A "double-free" vulnerability in the Concurrent
Versions System (CVS) server could allow an unauthenticated,
remote attacker with read-only access to execute arbitrary
code, alter program operation, read sensitive information,
or cause a denial of service.
CVS is a version control and collaboration system that
is widely used by open-source software development projects.
CVS is commonly configured to allow public, anonymous,
read-only access via the Internet.
Deallocating the already freed
memory leads to heap corruption, which an attacker could
leverage to execute arbitrary code, alter the logical
operation of the CVS server program, or read sensitive
information stored in memory. In most cases, heap corruption
will result in a segmentation fault, causing a denial
of service. The CVS server process is typically started
by the Internet services daemon and runs with root privileges.
Arbitrary code inserted by an attacker would therefore
run with root privileges.
There is a significant secondary impact. An attacker
who is able to compromise a CVS server could modify
source-code repositories to contain Trojan horses, backdoors,
or other malicious code.
- Systems running CVS Home project versions of CVS prior
- Operating system distributions that provide CVS
- Source code repositories managed by CVS
Apply the appropriate patch or upgrade specified by
Disable or restrict anonymous
As a temporary solution until patches or upgrades can
be applied, or to improve the security of CVS servers
in the long term:
- Disable anonymous CVS server
- Block or restrict access
to CVS servers from untrusted hosts and networks.
Anonymous access to CVS servers using :cvspserver:
is typically provided on port 2401/tcp.
- Configure CVS servers to
run in restricted (chroot) environments.
- Host CVS servers on single-purpose,
These workarounds and configurations
are not complete solutions and will not prevent exploitation
of this vulnerability. Other features inherent in CVS
may give anonymous users the ability to gain shell access.
Conectiva Linux is affected by this issue and updated
packages are available at: atualizacoes.conectiva.com.br/
Debian has updated their distribution with DSA 233.
For the stable distribution
(woody) this problem has been fixed in version 1.11.1p1debian-8.1.
For the old stable distribution (potato) this problem
has been fixed in version 1.10.7-9.2.
For the unstable distribution (sid) this problem will
be fixed soon.
Red Hat, Inc.
Red Hat Linux and Red Hat Linux Advanced Server shipped
with a CVS package is vulnerable to these issues. New
CVS packages are now available along with the advisory
at the URLs below. Users of the Red Hat Network can
update their systems using the 'up2date' tool.
Red Hat Linux Advanced Server:
Red Hat Linux: rhn.redhat.com/errata/RHSA-2003-012.html
Sun Microsystems Inc.
Sun does not include CVS with Solaris and therefore
Solaris is not affected by this issue. Sun does provide
CVS on the Solaris Companion CD: wwws.sun.com/software/solaris/freeware/index.html
as an unsupported package which installs to /opt/sfw
and is vulnerable to this issue. Sites using the freeware
version of CVS from the Solaris Companion CD will have
to upgrade to a later version from CVS Home.
Buffer Overflow in Sendmail
There is a vulnerability in sendmail that may allow
remote attackers to gain the privileges of the sendmail
daemon, typically root.
Researchers at Internet Security Systems (ISS) discovered
a remotely exploitable vulnerability in sendmail. This
vulnerability could allow an intruder to gain control
of a vulnerable sendmail server. Most organizations
have a variety of mail transfer agents (MTAs) at various
locations within their network, with at least one exposed
to the Internet. Since sendmail is the most popular
MTA, most medium-sized to large organizations are likely
to have at least one vulnerable sendmail server. In
addition, many Unix and Linux workstations provide a
sendmail implementation that is enabled and running
by default. A successful attack against an unpatched
sendmail system will not leave any messages in the system
log. However, on a patched system, an attempt to exploit
this vulnerability will leave the following log message:
Dropped invalid comments from
Although this does not represent conclusive evidence
of an attack, it may be useful as an indicator.
A patched sendmail server will drop invalid headers,
thus preventing downstream servers from receiving them.
Sendmail Pro (all versions)
Sendmail Switch 2.1 prior to 2.1.5, 2.2 prior to 2.2.5,
3.0 prior to 3.0.3
Sendmail for NT 2.X prior to 2.6.2, NT 3.0 prior to
Systems running open-source sendmail versions prior
to 8.12.8, including Unix and Linux systems
Apply a patch from Sendmail
Sendmail has produced patches for versions 8.9, 8.10,
8.11, and 8.12. However, the vulnerability also exists
in earlier versions of the code; therefore, site administrators
using an earlier version are encouraged to upgrade to
8.12.8. These patches are located at
Enable the RunAsUser option
There is no known workaround for this vulnerability.
Until a patch can be applied, you may set the RunAsUser
option to reduce the impact of this vulnerability.
Apple Computer, Inc
Security Update 2003-03-03 is available to fix this
issue. Packages are available for Mac OS X 10.1.5 and
Mac OS X 10.2.4. It should be noted that sendmail is
not enabled by default on Mac OS X, so only those systems
which, have explicitly enabled it are susceptible to
the vulnerability. All customers of Mac OS X, however,
are encouraged to apply this update to their systems.
The AIX operating system is vulnerable to the sendmail
A temporary patch is available through an efix package
which can be found at: ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z
The Sendmail Consortium
The Sendmail Consortium suggests that sites upgrade
to 8.12.8 if possible. Alternatively, patches are available
for 8.9, 8.10, 8.11, and 8.12 on www.sendmail.org/
Solaris 2.6, 7, 8 and 9 are vulnerable
Sun will be publishing a Sun Alert for the issue at
the following location shortly:
The patches listed in the Sun
Alert will be available from: sunsolve.sun.com/securitypatch