Re: [WEBMASTER] 'www/html/devel-corner index.html'

Alfred Perlstein <bright@wintelcom.net> writes:
> It's on security focus:

> Cvsweb 1.80 makes an insecure call to the
>  perl OPEN function, providing attackers with
>  write access to a cvs repository the ability to
   ^^^^^^^^^^^^
>  execute arbitrary commands on the host
>  machine. The code that is being exploited
>  here is the following: open($fh, "rlog
>  '$filenames' 2>/dev/null |")

> Actually, now that I've looked at it you guys seem to be using 1.93
> a bit newer than the vulnerable version.

Since we don't hand out cvs write access very freely, this doesn't seem
like a big problem.  Still, it might be a good idea to actually remove
the old version of cvsweb (cvswebtest) rather than just not have it
linked to anymore ...


> Do you guys have a private developers' list that doesn't get broadcast
> back out that I can use if anything like this pops up in the future?

You can send security concerns to pgsql-core@postgreSQL.org --- the core
list isn't publicly readable (or even archived anywhere, AFAIK).

            regards, tom lane