[FLSA-2004:1620] Updated cvs resolves security vulnerabilities
Dominic Hargreaves
dom at earth.li
Fri Jun 4 16:00:25 UTC 2004
On Fri, Jun 04, 2004 at 08:19:47AM -0700, Jesse Keating wrote:
> Odd, I couldn't duplicate on my 7.3 boxes, but I was using yum to update.
> What happens if you do "info cvsclient" ? I get the cvs client info page,
> do you?
Nope. The info pages seem to be missing/corrupted. Comparing your binary
RPM with one I've just rebuilt:
[dom at isay misc]$ diff -u <(rpm -qlp /usr/local/RPMS/legacy/updates/i386/cvs-1.11
.1p1-14.legacy.3.i386.rpm) <(rpm -qlp cvs-1.11.1p1-14.legacy.3.i386.rpm)
--- /dev/fd/63 Fri Jun 4 16:56:10 2004
+++ /dev/fd/62 Fri Jun 4 16:56:10 2004
@@ -31,7 +31,19 @@
/usr/share/doc/cvs-1.11.1p1/cvs-paper.ps
/usr/share/doc/cvs-1.11.1p1/cvs.ps
/usr/share/doc/cvs-1.11.1p1/cvsclient.ps
+/usr/share/info/cvs.info-1.gz
+/usr/share/info/cvs.info-2.gz
+/usr/share/info/cvs.info-3.gz
+/usr/share/info/cvs.info-4.gz
+/usr/share/info/cvs.info-5.gz
+/usr/share/info/cvs.info-6.gz
+/usr/share/info/cvs.info-7.gz
+/usr/share/info/cvs.info-8.gz
+/usr/share/info/cvs.info-9.gz
/usr/share/info/cvs.info.gz
+/usr/share/info/cvsclient.info-1.gz
+/usr/share/info/cvsclient.info-2.gz
+/usr/share/info/cvsclient.info-3.gz
/usr/share/info/cvsclient.info.gz
/usr/share/man/man1/cvs.1.gz
/usr/share/man/man5/cvs.5.gz
(and likewise comparing the current a previous office binary RPMs:
[dom at isay misc]$ diff -u <(rpm -qlp /usr/local/RPMS/tmp/cvs-1.11.1p1-9.7.legacy.i386.rpm) <(rpm -qlp /usr/local/RPMS/legacy/updates/i386/cvs-1.11.1p1-14.legacy.3.i386.rpm)
--- /dev/fd/63 Fri Jun 4 16:57:57 2004
+++ /dev/fd/62 Fri Jun 4 16:57:57 2004
@@ -31,19 +31,7 @@
/usr/share/doc/cvs-1.11.1p1/cvs-paper.ps
/usr/share/doc/cvs-1.11.1p1/cvs.ps
/usr/share/doc/cvs-1.11.1p1/cvsclient.ps
-/usr/share/info/cvs.info-1.gz
-/usr/share/info/cvs.info-2.gz
-/usr/share/info/cvs.info-3.gz
-/usr/share/info/cvs.info-4.gz
-/usr/share/info/cvs.info-5.gz
-/usr/share/info/cvs.info-6.gz
-/usr/share/info/cvs.info-7.gz
-/usr/share/info/cvs.info-8.gz
-/usr/share/info/cvs.info-9.gz
/usr/share/info/cvs.info.gz
-/usr/share/info/cvsclient.info-1.gz
-/usr/share/info/cvsclient.info-2.gz
-/usr/share/info/cvsclient.info-3.gz
/usr/share/info/cvsclient.info.gz
/usr/share/man/man1/cvs.1.gz
/usr/share/man/man5/cvs.5.gz
http://www-astro.physics.ox.ac.uk/~dom/legacy/misc/cvs-1.11.1p1-14.legacy.3.i386.rpm is my RPM in case anyone wants to poke it).
[dom at isay misc]$ sha1sum /usr/local/RPMS/legacy/updates/i386/cvs-1.11.1p1-14.legacy.3.i386.rpm
523e9f69536d69ae5a8984f4327e35b32c38afdc /usr/local/RPMS/legacy/updates/i386/cvs-1.11.1p1-14.legacy.3.i386.rpm
which matches your advisory.
So it looks like something went wrong during rebuilding?
Dominic.
More information about the fedora-legacy-list
mailing list