=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2004/VULN286
_____________________________________________________________________

DATE                      : 11/06/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running CVS.

======================================================================

An audit of the cvs codebase performed by Stefan Esser and Sebastian
Krahmer has found some potential remote vulnerabilities in cvs.

While no exploits are known to exist for these bugs under OpenBSD
at this time, some of the bugs have proven exploitable on other
operating systems.  Therefore, we encourage users running cvs servers
to patch their systems.  Users running cvs clients (but not servers)
do not need to update.

The fixes have been committed to OpenBSD-current as well as the
3.4 and 3.5 -stable branches.

Patches against OpenBSD 3.4 and 3.5 are also available:
     ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/023_cvs3.patch
     ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.5/common/019_cvs3.patch

For more details, please see:
     http://security.e-matters.de/advisories/092004.html

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================