Jump to content

Archived

This topic is now archived and is closed to further replies.

seCret steVe

Open source bug threatens Linux and CVS system

Recommended Posts

A weakness in the widely used Concurrent Versions System (CVS) development aid has left Linux and open source code vulnerable to attack.

A Computer Emergency Response Team advisory has warned the flaw could allow hackers to alter the operation of the CVS program, read sensitive information or launch denial of service attacks.

 

The CVS version management tool is by far the most popular resource used by the major Linux developers and companies to keep track of different software versions.

 

Although CVS is open source, it is used to keep track of all types of software used by a company.

 

The problem was first reported on 20 January by German software, security and internet company E-Matters.

 

It has warned that, although companies have released patches for the vulnerability, it typically takes people two months to download and install the patch.

 

Kevin Besthorn, chief executive at E-Matters, said: "Anyone who is developing some sort of serious software uses this system to keep track of developments, so it can hit IT departments. Anyone that uses this should download the patch and install it."

 

The bug applies to release 1.11.4 and earlier of CVS. Among companies that issue CVS are Sun Microsystems (for Linux 5.0.3 and earlier), Red Hat, Debian, MandrakeSoft, Conectiva and Cray.

 

Most vendors have issued patches for the problem, according to Simon Dowlut, penetration tester and security consultant at analyst company Information Risk Management.

 

"Any bug that allows you to execute code of your choice is a bad thing," he said.

 

"It is possible that lots of code was compromised. It could have far-reaching consequences. But did anybody know before? Once it came to light everyone moved to issue patches."

 

 

 

---------------

Read the full story

Share this post


Link to post
Share on other sites

×