Re: [Debian-sf-users] cvsweb and CVE-2000-0670

[Christian BAYLE]

Justin Richer wrote:
> I've run into this problem at my organization as well (MITRE), and here's
> what I've found out:
>
> The cvsweb script in Debian-SF is based on version 1.112 (which is several
> revisions above 1.85, as you can see). The problem lies in how Nessus
> determines the version of cvsweb: It uses an HTML comment in the generated
> output of the cvsweb pages that contains an expanded $Revision$ CVS tag.
> This is a very broken way of reporting the version, because the instant it
> is checked into another CVS repository (as happened with Debian-SF) the
> apparent version changes, and in our case effectively re-sets to 1.2. A
> little research dug up that not only is version 1.2 very old, it was also
> (as far as I can gather) in German, making it rather unfit for our purposes
> here :). I'm not even sure if it was publicly released, actually. But that's
> all a moot point. To answer, yes, the version is secure.
>
> On another note, I've recently done some work to integrate Chora into our
> version of SF here, but:
>   1) It's based on 2.5
>   2) It relies on a bunch of changes to the theme architecture
>   3) It also makes use of our security system
Thanks for the note
> I'll gladly submit things back, but since we're supporting a 2.5-based site,
> I gathered there wasn't much interest in our code.
Would be interested to know how you integrated chora in your code
Do you use debian package?
Did you do some work to support some kind of interface to horde lib in
debian-sf?
Did you made some test with phpgroupware-chora ?
Do you have some plan to migrate to gforge?

Cheers

Christian
>  -- Justin
>
> ----- Original Message -----
> From: "Lee Sheridan" <address@hidden>
> To: <address@hidden>
> Sent: Wednesday, April 09, 2003 12:59 PM
> Subject: [Debian-sf-users] cvsweb and CVE-2000-0670
>
>
> > Hi.  I'm setting up a SF site, based on the current debian-sf 2.6 out of
> > CVS.
> >
> > Part of our local policy for newly network attached systems is an ISS or
> > Nessus scan.  Nessus is complaining that "The remote cvsweb is older or
> > as old as version 1.85", and points to CVE-2000-0670.
> >
> > The Bugtraq message is here:
> >
> >   http://www.securityfocus.com/archive/1/69942/2000-07-06/2000-07-12/0
> >
> > Looking at the sf code, I see that parts of cvsweb were integrated into
> > the Debian tree.
> >
> > Quoting /sourceforge-2.6/deb-specific/cvsweb/cvsweb.cgi:
> >
> >  # Based on:
> >  # * Bill Fenners cvsweb.cgi revision 1.28 available from:
> >  #   http://www.freebsd.org/cgi/cvsweb.cgi/www/en/cgi/cvsweb.cgi
> >
> > So my question is -- was this vulnerability patched in the debian-sf
> > branch of the cvsweb code, or irrelavent in the debian-sf code?  I admit
> > to not being a good enough coder to confidently proclaim that I consider
> > it to be a false positive.
> >
> > Thanks in advance.
> >
> > --
> > Lee Sheridan                            301.286.5898 voice
> > NASA / Goddard Space Flight Center      address@hidden
> > Computer Sciences Corporation           Building 28, Room S241
> > Code 931
> >
> >
> > _______________________________________________
> > Debian-sf-users mailing list
> > address@hidden
> > http://mail.nongnu.org/mailman/listinfo/debian-sf-users
> >
> >   
>
>
>
>
> _______________________________________________
> Debian-sf-users mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/debian-sf-users