Bugtraqmailing list archives

By Date

By Thread

Security Advisory for CVS Slash

There has been a security issue in CVS Slash code for the lastcouple of years which was found recently.  This is something thatsite administrators should be concerned about.Slash is the CMS "blog" software which runs Slashdot.org andnumerous other websites.  Slashdot, and the other Slash websites runby OSTG, are not currently vulnerable.We are urging all sites which are using a version of the code fromCVS to upgrade now to the CVS tag R_2_5_0_41.  Sites which are usingthe 2.2.6 tarball, the latest official release, do not need toupgrade (the issue is not present there).Normally we do not make security announcements for CVS code, becausewhen we have found them in the past, the issues were extremely smalland/or fixed within days.  This one has been around for a long time,though, and affects many of the R_ tags which we have beenrecommending sites use, so we're publicly urging site admins toupgrade.  (R_ tags in CVS are ones which we consider relativelystable, while T_ tags should be used primarily for testing.)This issue was found by Michael Krax <http://www.mikx.de/>, who weunderstand is working on publishing the details of the vulnerabilitysoon.  We hope that motivates site admins to upgrade sitesimmediately.  We thank Mr. Krax for working with us by reportingthis vulnerability to us in a responsible manner.In about a week, in any case, we will make the details publicourselves and offer a patch which will allow you to secure yoursites without performing a full upgrade to R_2_5_0_41.If you are using CVS code from June 2004 or earlier -- the x_2_3_*tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_*tag is nontrivial.  What you'll want to do is    cvs update -r T_2_5_0_4 -dPand then apply the upgrades file in the normal fashion, includingrunning utils/convertDBto200406 where it says to do so.  Then    cvs update -r R_2_5_0_41 -dPand continue applying the rest of the upgrades file.Any questions about the upgrade process, or other comments on thisissue, can be posted on the Slashcode website story for thisannouncement:    <http://www.slashcode.com/article.pl?sid=04/12/15/1540200>or can be asked in the channel #slash on irc.slashnet.org.  We'llmake a solid effort to help anyone upgrade who needs to.However, for security reasons, we cannot reveal more details aboutthe issue until next week, when all sites have had a chance toupgrade.  Watchhttp://www.slashcode.com/ next week for fulldisclosure.  And if you run a Slash site and aren't alreadysubscribed to the slashcode-general mailing list, you should be:https://lists.sourceforge.net/lists/listinfo/slashcode-generalOur apologies for this oversight.  This is the first securitynotification issued for Slash in over two years, but one is toomany, and we are reviewing our programming process to try to preventthis from happening again.Private questions about these issues can be addressed to me on IRC(user "jamie" in #slash on irc.slashnet.org) or in email at<jamie () slashdot org>;  to notify us of additional security issues wemay not be aware of, please email <security () slashcode com>.Thank you.--   Jamie McCarthy  jamie () slashdot org

By Date

By Thread

Current thread:

• Security Advisory for CVS SlashJamie McCarthy (Dec 15)