[Techtalk] Content management systems
Dan Shearer
techtalk at shearer.org
Thu Jul 15 11:53:46 EST 2004
On Wed, Jul 14, 2004 at 11:12:14PM +0100, Meredydd wrote:
> On Wednesday 14 July 2004 22:02, Terri Oda wrote:
> > That said, what sort of security issues are you encountering with
> > CVS? I know renaming is annoying (unless you don't mind editing the
> > repository by hand) but I've not heard a whole lot of security
> > concerns related to it.
>
> I've just been skimming lately, but Bugtraq seems to be alive with CVS
> vulnerabilities on all sides, and nasty ones at that. Of course, each
> is fixed as soon as found, but I can sorta see where one might get
> "that sendmail feeling" from recent events.
That's probably a fair summary. You could search the CVE for something a
bit better than "bugtraq feelings" with this URL:
http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cvs
Perhaps another way of looking at it might be this:
a) cvs is a network service, with its own protocol, and
b) cvs has not been seriously worked on for at least four years
So you probably don't need bugtraq to get an uncomfortable feeling. It
seems CVS is dead at the moment and nobody seems to be volunteering to
revive it. And if someone did want to revive it they'd probably start
wondering about new approaches to version management rather than "RCS
over a network" which is close to what CVS is. And if they do that then
probably they're going to leave the CVS code well alone...
Martin Pool has a bit of a mania for version control systems, at one
stage he was trying out a new one every week :-) See some musings he
wrote at http://sourcefrog.net/weblog/software/vc . His opinions are
very well-informed.
Hth,
--
Dan Shearer
dan at shearer.org
More information about the Techtalk
mailing list