Updated cvs packages closing a vulnerability that could allow cvs to attempt to create files and directories in the root file system are now available.
CVS is a version control system frequently used to manage source code repositories. A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. For CentOS Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0844 to this issue.