Bugtraq mailing list archives
Re: cvs security problem
From: "Greg A. Woods" <woods () weird com>
Date: Tue, 1 Aug 2000 17:58:21 -0400
[ On Monday, July 31, 2000 at 08:12:03 (+0200), sama () AGLORIOSO COM wrote: ]
Subject: Re: cvs security problem Although I don't think it addresses this very problem, you might be interested in CVS-nserver (http://alexm.here.ru/cvs-nserver/), a rewrite of CVS to make it more modular and secure. I still haven't tried it myself, though.
CVS-nserver does not necessarily address the fundamental design issue. It can be run against the system /etc/passwd or PAM configuration, in which case it is no different in authorisation terms than SSH (or RSH), but in the case where it offers "virtual repositories" it repeats the same fundamental mistake the original cvspserver does and is equally vulnerable to some types of attacks. Although CVS-nserver promises SSL support in the future, it is also in the mean time vulnerable to man-in-the-middle attacks, meaning that even in non-anonymous configurations it can potentially be subverted into offering trojaned code, or whatever. The realy simple solution to all this nonsense is to use CVS *only* through an already secure transport (such as SSH or stunnel or IPsec), in which case nothing need be changed in CVS itself (except for the removal of the cvspserver junk! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: cvs security problem Mike Eldridge (Aug 01)
- <Possible follow-ups>
- Re: cvs security problem sama (Aug 01)
- Re: cvs security problem Brian Behlendorf (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)