Security Information / 2017 / Security Information -- DSA-3940-1 cvs

Debian Security Advisory

DSA-3940-1 cvs -- security update

Date Reported:

13 Aug 2017

Affected Packages:

cvs

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 871810.
In Mitre's CVE dictionary: CVE-2017-12836.

More information:

It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2:1.12.13+real-15+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2:1.12.13+real-22+deb9u1.

We recommend that you upgrade your cvs packages.