|Title||Security Advisory for CVS Slash|
|Date||Wednesday December 15 2004, @10:42AM|
There has been a security issue in CVS Slash code for the last couple of years which was found recently. This is something that site administrators should be concerned about.
We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).
Normally we do not make security announcements for
This issue was found by Michael Krax <
In about a week, in any case, we will make the details public ourselves and offer a patch which will allow you to secure your sites without performing a full upgrade to R_2_5_0_41.
If you are using CVS code from June 2004 or earlier -- the x_2_3_* tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_* tag is nontrivial. What you'll want to do is
cvs update -r T_2_5_0_4 -dP
and then apply the upgrades file in the normal fashion, including running utils/convertDBto200406 where it says to do so. Then
cvs update -r R_2_5_0_41 -dP
and continue applying the rest of the upgrades file.
Any questions about the upgrade process can be posted here, on this slashcode.com story, or can be asked in the channel #slash on irc.slashnet.org. We'll make a solid effort to help anyone upgrade who needs to.
However, for security reasons, we cannot reveal more details about the issue until next week, when all sites have had a chance to upgrade. Watch this website next week for full disclosure. (If you haven't already, you may want to create a user on slashcode.com and set it up to email you the daily headlines.) And if you run a Slash site and aren't already subscribed to the slashcode-general mailing list, you should be:
Our apologies for this oversight. This is the first security notification issued for Slash in over two years, but one is too many, and we are reviewing our programming process to try to prevent this from happening again.
Private questions about these issues can be addressed to me on IRC (user "jamie" in #slash on irc.slashnet.org) or in email at firstname.lastname@example.org; to notify us of additional security issues we may not be aware of, please email email@example.com. Thank you.
printed from Slashcode, Security Advisory for CVS Slash on 2012-02-07 00:15:18