| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alfred Perlstein <bright(at)wintelcom(dot)net> |
| Cc: | Vince Vielhaber <vev(at)michvhf(dot)com>, pg-web(at)hub(dot)org, pgsql-committers(at)postgresql(dot)org |
| Subject: | Re: [WEBMASTER] 'www/html/devel-corner index.html' |
| Date: | 2000-09-25 20:04:05 |
| Message-ID: | 6774.969912245@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Alfred Perlstein <bright(at)wintelcom(dot)net> writes:
> It's on security focus:
> Cvsweb 1.80 makes an insecure call to the
> perl OPEN function, providing attackers with
> write access to a cvs repository the ability to
^^^^^^^^^^^^
> execute arbitrary commands on the host
> machine. The code that is being exploited
> here is the following: open($fh, "rlog
> '$filenames' 2>/dev/null |")
> Actually, now that I've looked at it you guys seem to be using 1.93
> a bit newer than the vulnerable version.
Since we don't hand out cvs write access very freely, this doesn't seem
like a big problem. Still, it might be a good idea to actually remove
the old version of cvsweb (cvswebtest) rather than just not have it
linked to anymore ...
> Do you guys have a private developers' list that doesn't get broadcast
> back out that I can use if anything like this pops up in the future?
You can send security concerns to pgsql-core(at)postgreSQL(dot)org --- the core
list isn't publicly readable (or even archived anywhere, AFAIK).
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-09-25 20:32:40 | Re: [WEBMASTER] 'www/html/devel-corner index.html' |
| Previous Message | Vince Vielhaber | 2000-09-25 19:38:03 | [WEBMASTER] 'www/html/devel-corner index.html' |