Executive Summary
Summary | |
---|---|
Title | cvs security update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:0321 | First vendor Publication | 2012-02-21 |
Vendor | RedHat | Last vendor Modification | 2012-02-21 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Concurrent Version System (CVS) is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. (CVE-2012-0804) All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 784141 - CVE-2012-0804 cvs: client proxy_connect heap-based buffer overflow |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-0321.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14821 | |||
Oval ID: | oval:org.mitre.oval:def:14821 | ||
Title: | DSA-2407-1 cvs -- heap overflow | ||
Description: | It was discovered that a malicious CVS server could cause a heap overflow in the CVS client, potentially allowing the server to execute arbitrary code on the client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2407-1 CVE-2012-0804 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | cvs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15423 | |||
Oval ID: | oval:org.mitre.oval:def:15423 | ||
Title: | USN-1371-1 -- cvs vulnerability | ||
Description: | cvs: Concurrent Versions System cvs could be made to crash or run programs as your login if it connected to a malicious proxy server. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1371-1 CVE-2012-0804 | Version: | 7 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | cvs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21133 | |||
Oval ID: | oval:org.mitre.oval:def:21133 | ||
Title: | RHSA-2012:0321: cvs security update (Moderate) | ||
Description: | Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0321-01 CESA-2012:0321 CVE-2012-0804 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | cvs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23263 | |||
Oval ID: | oval:org.mitre.oval:def:23263 | ||
Title: | DEPRECATED: ELSA-2012:0321: cvs security update (Moderate) | ||
Description: | Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0321-01 CVE-2012-0804 | Version: | 7 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | cvs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23565 | |||
Oval ID: | oval:org.mitre.oval:def:23565 | ||
Title: | ELSA-2012:0321: cvs security update (Moderate) | ||
Description: | Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0321-01 CVE-2012-0804 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | cvs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27360 | |||
Oval ID: | oval:org.mitre.oval:def:27360 | ||
Title: | DEPRECATED: ELSA-2012-0321 -- cvs security update (moderate) | ||
Description: | [1.11.23-11.el6_2.1] - Fix CVE-2012-0804 (Resolves: #784338) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0321 CVE-2012-0804 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | cvs |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2012-08-03 | Name : Mandriva Update for cvs MDVSA-2012:044 (cvs) File : nvt/gb_mandriva_MDVSA_2012_044.nasl |
2012-07-30 | Name : CentOS Update for cvs CESA-2012:0321 centos6 File : nvt/gb_CESA-2012_0321_cvs_centos6.nasl |
2012-04-02 | Name : Fedora Update for cvs FEDORA-2012-1383 File : nvt/gb_fedora_2012_1383_cvs_fc16.nasl |
2012-03-09 | Name : Ubuntu Update for cvs USN-1371-1 File : nvt/gb_ubuntu_USN_1371_1.nasl |
2012-02-27 | Name : RedHat Update for cvs RHSA-2012:0321-01 File : nvt/gb_RHSA-2012_0321-01_cvs.nasl |
2012-02-21 | Name : Fedora Update for cvs FEDORA-2012-1400 File : nvt/gb_fedora_2012_1400_cvs_fc15.nasl |
2012-02-12 | Name : Debian Security Advisory DSA 2407-1 (cvs) File : nvt/deb_2407_1.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-01-20 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201701-44.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_cvs_20140731.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-133.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_cvs-120222.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-51.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0321.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120221_cvs_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-03-30 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2012-044.nasl - Type : ACT_GATHER_INFO |
2012-02-28 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_cvs-120222.nasl - Type : ACT_GATHER_INFO |
2012-02-28 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cvs-7991.nasl - Type : ACT_GATHER_INFO |
2012-02-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0321.nasl - Type : ACT_GATHER_INFO |
2012-02-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1371-1.nasl - Type : ACT_GATHER_INFO |
2012-02-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0321.nasl - Type : ACT_GATHER_INFO |
2012-02-16 | Name : The remote Fedora host is missing a security update. File : fedora_2012-1383.nasl - Type : ACT_GATHER_INFO |
2012-02-16 | Name : The remote Fedora host is missing a security update. File : fedora_2012-1400.nasl - Type : ACT_GATHER_INFO |
2012-02-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2407.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:55:44 |
|