Debian Security Advisory
DSA-3940-1 cvs -- security update
- Date Reported:
- 13 Aug 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 871810.
In Mitre's CVE dictionary: CVE-2017-12836.
- More information:
It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command.
For the oldstable distribution (jessie), this problem has been fixed in version 2:1.12.13+real-15+deb8u1.
For the stable distribution (stretch), this problem has been fixed in version 2:1.12.13+real-22+deb9u1.
We recommend that you upgrade your cvs packages.