[WEBMASTER] 'www/html/devel-corner index.html'

* Vince Vielhaber <vev@hub.org> [000925 07:50] wrote:

Update of /home/projects/pgsql/cvsroot/www/html/devel-corner
In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner

Modified Files:
index.html
Log Message:

Updated cvsweb

I haven't checked, but you guys are aware of the cvsweb vulnerability
that was posted a couple of weeks ago right?

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."

On Mon, 25 Sep 2000, Alfred Perlstein wrote:

* Vince Vielhaber <vev@hub.org> [000925 07:50] wrote:

Update of /home/projects/pgsql/cvsroot/www/html/devel-corner
In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner

Modified Files:
index.html
Log Message:

Updated cvsweb

I haven't checked, but you guys are aware of the cvsweb vulnerability
that was posted a couple of weeks ago right?

I missed that one. Do you recall any details?

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

* Vince Vielhaber <vev@michvhf.com> [000925 11:55] wrote:

On Mon, 25 Sep 2000, Alfred Perlstein wrote:

* Vince Vielhaber <vev@hub.org> [000925 07:50] wrote:

Update of /home/projects/pgsql/cvsroot/www/html/devel-corner
In directory hub.org:/home/projects/pgsql/developers/vev/www/html/devel-corner

Modified Files:
index.html
Log Message:

Updated cvsweb

I haven't checked, but you guys are aware of the cvsweb vulnerability
that was posted a couple of weeks ago right?

I missed that one. Do you recall any details?

It's on security focus:

Cvsweb 1.80 makes an insecure call to the
perl OPEN function, providing attackers with
write access to a cvs repository the ability to
execute arbitrary commands on the host
machine. The code that is being exploited
here is the following: open($fh, "rlog
'$filenames' 2>/dev/null |")

Do you guys have a private developers' list that doesn't get broadcast
back out that I can use if anything like this pops up in the future?

Actually, now that I've looked at it you guys seem to be using 1.93
a bit newer than the vulnerable version.

Sorry for the scare but you may want to double check.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."

On Mon, 25 Sep 2000, Alfred Perlstein wrote:

Do you guys have a private developers' list that doesn't get broadcast
back out that I can use if anything like this pops up in the future?

Send it to webmaster@postgresql.org

Actually, now that I've looked at it you guys seem to be using 1.93
a bit newer than the vulnerable version.

Sorry for the scare but you may want to double check.

Glad you did. I never even saw that one go by.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

Alfred Perlstein <bright@wintelcom.net> writes:

It's on security focus:

Cvsweb 1.80 makes an insecure call to the
perl OPEN function, providing attackers with
write access to a cvs repository the ability to

^^^^^^^^^^^^

execute arbitrary commands on the host
machine. The code that is being exploited
here is the following: open($fh, "rlog
'$filenames' 2>/dev/null |")

Actually, now that I've looked at it you guys seem to be using 1.93
a bit newer than the vulnerable version.

Since we don't hand out cvs write access very freely, this doesn't seem
like a big problem. Still, it might be a good idea to actually remove
the old version of cvsweb (cvswebtest) rather than just not have it
linked to anymore ...

Do you guys have a private developers' list that doesn't get broadcast
back out that I can use if anything like this pops up in the future?

You can send security concerns to pgsql-core@postgreSQL.org --- the core
list isn't publicly readable (or even archived anywhere, AFAIK).

regards, tom lane

On Mon, 25 Sep 2000, Tom Lane wrote:

Alfred Perlstein <bright@wintelcom.net> writes:

It's on security focus:

Cvsweb 1.80 makes an insecure call to the
perl OPEN function, providing attackers with
write access to a cvs repository the ability to

^^^^^^^^^^^^

execute arbitrary commands on the host
machine. The code that is being exploited
here is the following: open($fh, "rlog
'$filenames' 2>/dev/null |")

Actually, now that I've looked at it you guys seem to be using 1.93
a bit newer than the vulnerable version.

Since we don't hand out cvs write access very freely, this doesn't seem
like a big problem. Still, it might be a good idea to actually remove
the old version of cvsweb (cvswebtest) rather than just not have it
linked to anymore ...

Done.

Do you guys have a private developers' list that doesn't get broadcast
back out that I can use if anything like this pops up in the future?

You can send security concerns to pgsql-core@postgreSQL.org --- the core
list isn't publicly readable (or even archived anywhere, AFAIK).

regards, tom lane

--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================