Bugtraq mailing list archives
Security Advisory for CVS Slash
From: Jamie McCarthy <jamie () slashdot org>
Date: Wed, 15 Dec 2004 11:03:56 -0500
There has been a security issue in CVS Slash code for the last couple of years which was found recently. This is something that site administrators should be concerned about. Slash is the CMS "blog" software which runs Slashdot.org and numerous other websites. Slashdot, and the other Slash websites run by OSTG, are not currently vulnerable. We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there). Normally we do not make security announcements for CVS code, because when we have found them in the past, the issues were extremely small and/or fixed within days. This one has been around for a long time, though, and affects many of the R_ tags which we have been recommending sites use, so we're publicly urging site admins to upgrade. (R_ tags in CVS are ones which we consider relatively stable, while T_ tags should be used primarily for testing.) This issue was found by Michael Krax <http://www.mikx.de/>, who we understand is working on publishing the details of the vulnerability soon. We hope that motivates site admins to upgrade sites immediately. We thank Mr. Krax for working with us by reporting this vulnerability to us in a responsible manner. In about a week, in any case, we will make the details public ourselves and offer a patch which will allow you to secure your sites without performing a full upgrade to R_2_5_0_41. If you are using CVS code from June 2004 or earlier -- the x_2_3_* tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_* tag is nontrivial. What you'll want to do is cvs update -r T_2_5_0_4 -dP and then apply the upgrades file in the normal fashion, including running utils/convertDBto200406 where it says to do so. Then cvs update -r R_2_5_0_41 -dP and continue applying the rest of the upgrades file. Any questions about the upgrade process, or other comments on this issue, can be posted on the Slashcode website story for this announcement: <http://www.slashcode.com/article.pl?sid=04/12/15/1540200> or can be asked in the channel #slash on irc.slashnet.org. We'll make a solid effort to help anyone upgrade who needs to. However, for security reasons, we cannot reveal more details about the issue until next week, when all sites have had a chance to upgrade. Watch http://www.slashcode.com/ next week for full disclosure. And if you run a Slash site and aren't already subscribed to the slashcode-general mailing list, you should be: https://lists.sourceforge.net/lists/listinfo/slashcode-general Our apologies for this oversight. This is the first security notification issued for Slash in over two years, but one is too many, and we are reviewing our programming process to try to prevent this from happening again. Private questions about these issues can be addressed to me on IRC (user "jamie" in #slash on irc.slashnet.org) or in email at <jamie () slashdot org>; to notify us of additional security issues we may not be aware of, please email <security () slashcode com>. Thank you. -- Jamie McCarthy jamie () slashdot org
Current thread:
- Security Advisory for CVS Slash Jamie McCarthy (Dec 15)