Sun Microsystems Inc. Information for VU#650937

Concurrent Versions System (CVS) server improperly deallocates memory



Vendor Statement

Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD:

as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue.

Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from:

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References



    Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable: