Debian CVS repouid Patch pserver Access Method Authentication Bypass

2005-04-27T04:45:09
ID OSVDB:15887
Type osvdb
Reporter Alberto Garcia(), Maks Polunin()
Modified 2005-04-27T04:45:09

Description

Vulnerability Description

Debian CVS contains a flaw that may allow a malicious user to bypass the password protection. The issue is triggered when using the pserver access method in conjunction with the repouid patch, allowing an attacker to to bypass user authentication and gain access to the repository, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 1.11.1p1debian-10 or higher for stable version or version 1.12.9-11 or higher for unstable, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Debian CVS contains a flaw that may allow a malicious user to bypass the password protection. The issue is triggered when using the pserver access method in conjunction with the repouid patch, allowing an attacker to to bypass user authentication and gain access to the repository, resulting in a loss of confidentiality.

References:

Secunia Advisory ID:15126 Related OSVDB ID: 15888 Other Advisory URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0596.html Other Advisory URL: http://www.debian.org/security/2005/dsa-715 ISS X-Force ID: 20282 Generic Informational URL: http://www.wiggy.net/code/cvs-repouid/ CVE-2004-1342 CIAC Advisory: P-195 Bugtraq ID: 13402