Sun Microsystems Inc. Information for VU#650937

Concurrent Versions System (CVS) server improperly deallocates memory

Status

Affected

Vendor Statement

Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD:

as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue.

Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from:
    http://sunsolve.Sun.COM

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References

    None

    Addendum

    Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable: