Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!


New security vulnarabilities in CVS open source tool

Save your company's valuable data with Proxy Sentinel™ from Internet Security. Click here for all the details.

June 17, 2004

An in-depth evaluation of CVS, a common open source tool, has uncovered more critical security holes in software used by developers to track and manage important changes in computer programming code. Not less than six vulnerabilities were discovered in the Concurrent Versions System (CVS), which is used to track and manage code on a number of leading open source software development projects.

CVS is also used by companies and organizations developing proprietary software.

The holes could enable remote attackers to launch denial of service attacks or run malicious code on systems hosting vulnerable versions of CVS, according to an alert published by e-matters GmbH.

Word of the new vulnerabilities comes just two weeks after another security hole in the software was used to hack the CVS project Web site. That compromise prompted an investigation of the CVS computer code, which revealed the latest holes, according to e-matters.

While some of the new vulnerabilities require a valid CVS user or administrator login to use, others can be exploited remotely and with few privileges on the vulnerable system, said David Endler, director of digital vaccine at TippingPoint Technologies Inc., which makes network intrusion prevention systems.

In particular, a vulnerability in a CVS function called "double-free()" was used to exploit a number of systems running the Linux operating systems, according to the e-matters alert.

"I wouldn't be surprised to see an exploit for the double-free vulnerability within the next few days," Endler said.

The CVS project released a software update fixing the holes, including the three discovered by e-matters researcher Stefan Esser.

There is no evidence that the new holes have resulted in attacks. However, once security holes are announced, a race begins between organizations that need to patch their systems and hackers eager to take advantage of the vulnerability, Endler said. That is especially true of open source code projects, where the raw code that underlies products is in the public domain, he said.

The news of vulnerabilities in the CVS product has raised concerns about the security of open source projects, many of which have been breached by hackers in recent years.

In October 2002, for example, a Trojan horse program was discovered in some distributions of the open source Sendmail e-mail software. In August, 2003 the Free Software Foundation, sponsors of the GNU free software project, said that a key server housing the group's Linux software was broken into by a malicious hacker.

Open source development projects rely on the assumption that the platforms people use to collaborate on the development are secure.

Vulnerabilities in the CVS product and hacking of CVS project resources invariably cause people to wonder whether the products developed using CVS might also have unknowingly been compromised by hackers, Endler said.

Source: IT World Canada


Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.


Back to the top of the page.         

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.

Click here to order your Proxy Sentinel™ Internet security server today!

Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca 2003    Terms of use    Privacy agreement    Legal disclaimer