security flaw

Integer overflow in the "Max-dotdot" CVS protocol command servemaxdotdot for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space...

security flaw

CVS before 1.11 allows CVS clients to read arbitrary files via .. dot dot sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180...