=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2004/VULN216
_____________________________________________________________________

DATE                      : 06/05/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running CVS.
                            
======================================================================

Pathname validation problems have been found in cvs(1), allowing malicious
clients to create files outside the repository, allowing malicious servers
to overwrite files outside the local CVS tree on the client and allowing
clients to check out files outside the CVS repository.


CVE Ids        : CAN-2003-0977 CAN-2004-0180 CAN-2004-0405

The problems have been fixed in OpenBSD-current as well as the 3.5-stable,
3.4-stable and 3.3-stable branches.

Patches are available from:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/017_cvs.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch

For more information, see:
    http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
    http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102

======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================