Subject: Re: cvs 1.11.10 will be imported
To: Jun-ichiro itojun Hagino <itojun@itojun.org>
From: Klaus Klein <kleink@reziprozitaet.de>
List: tech-userlevel
Date: 12/10/2003 13:21:00
On Wednesday 10 December 2003 12:42, you wrote:

> > > 	i will import cvs 1.11.10, as it includes security fix.
> > >
> > > itojun
> > >
> > >
> > > SERVER SECURITY ISSUES
> > >
> > > Malformed module requests could cause the CVS server to attempt to
> > > create directories and possibly files at the root of the filesystem
> > > holding the CVS repository. Filesystem permissions usually prevent
> > > the creation of these misplaced directories, but nevertheless, the
> > > CVS server now rejects the malformed requests.
> >
> > This particular issue seems to be addressed within a single, isolatable
> > patch hunk buried in the 1.11.10 release.  ISTR concerns having been
> > voiced recently about interoperatibility issues of recent CVS releases,
> > so is it necessary to jump the gun all the way from 1.11.5?
>
> 	i'm not aware of the "interoperability issue".  any pointers?
> 	(i have no problem using cvs 1.11.10 against cvs.netbsd.org)

http://mail-index.netbsd.org/netbsd-users/2003/12/05/0008.html, for a
very recent recent one.  This was also noted repeatedly in
project-internal circulation.

Again, please pay a little more attention before going ahead on such
issues; I do recall you applying isolated security fixes in the past,
as opposed to importing a release in which these are buried in heaps
of unrelated changes.


- Klaus