BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Software

Desktop platforms Toolkit

Open-source code maintainer filled with flaws

Tags:
Open Source,
Security Holes,
Linux,
Flaw

Published: 10 Jun 2004 09:05 BST

Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development.

According to a representative of the project that oversees the program, known as the Concurrent Versions System, the vulnerabilities include a flaw that could let an attacker take control of a CVS server from the Internet, putting the code repository's contents at risk. The flaws were discovered as part of an analysis of the program's code following the announcement last month of a similar set of issues.

The security flaws underscore the advice of CVS Project leaders, who say development teams should not be placing source-code repositories directly on the Internet. Rather, the repositories should be accessible only on private local networks or through VPNs (virtual private networks), said Derek Robert Price, one of three maintainers of the CVS Project and the project's release manager.

"We have always said that CVS is not secure," he said. "We have never made any quibbles about that."

Major open-source projects, including the Apache Foundation's Apache Web server and the GNOME and KDE Linux desktops, use the Concurrent Versions System to manage code under development. The software allows programmers to check in changed code, and it tracks the different versions of a program under development.

The major projects using the program were notified of the issues on 28 May. On Wednesday, the security holes were publicly announced.

The majority of the issues were found by two researchers who vetted the source code after the patch for previous flaws was released in May. One of the researchers, Stefan Esser, also found the previous security holes. The issue became even more serious when an online vandal apparently used the former vulnerabilities to gain access to the CVS Project's server and send an email that said he had gained access. The project has retired that server and plans to analyse its files for evidence of the attack, Price said.

The project has already issued a software update to patch the issue, as has Linux seller SuSE. Other Linux distributions that include the software are expected to release updates this week.

Did you find this article useful?
40 out of 99 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

Flaw
security holes

Linux
Open source

Video

Install Flash Player plugin

Find out more: From The Labs: A look at...

All videos
Most popular videos
Latest videos

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner