Slash Boxes

Slash Open Source Project

Security Advisory for CVS Slash

posted by jamiemccarthy on 11:42 AM December 15th, 2004   Printer-friendly   Email story
There has been a security issue in CVS Slash code for the last couple of years which was found recently. This is something that site administrators should be concerned about.

We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).

Normally we do not make security announcements for CVS code, because when we have found them in the past, the issues were extremely small and/or fixed within days. This one has been around for a long time, though, and affects many of the R_ tags which we have been recommending sites use, so we're publicly urging site admins to upgrade. (As you know, R_ tags in CVS are ones which we consider relatively stable, while T_ tags should be used primarily for testing.)

This issue was found by Michael Krax <>, who we understand is working on publishing the details of the vulnerability soon. We hope that motivates you to upgrade your sites immediately. We thank Mr. Krax for working with us by reporting this vulnerability to us in a responsible manner.

In about a week, in any case, we will make the details public ourselves and offer a patch which will allow you to secure your sites without performing a full upgrade to R_2_5_0_41.

If you are using CVS code from June 2004 or earlier -- the x_2_3_* tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_* tag is nontrivial. What you'll want to do is

cvs update -r T_2_5_0_4 -dP

and then apply the upgrades file in the normal fashion, including running utils/convertDBto200406 where it says to do so. Then

cvs update -r R_2_5_0_41 -dP

and continue applying the rest of the upgrades file.

Any questions about the upgrade process can be posted here, on this story, or can be asked in the channel #slash on We'll make a solid effort to help anyone upgrade who needs to.

However, for security reasons, we cannot reveal more details about the issue until next week, when all sites have had a chance to upgrade. Watch this website next week for full disclosure. (If you haven't already, you may want to create a user on and set it up to email you the daily headlines.) And if you run a Slash site and aren't already subscribed to the slashcode-general mailing list, you should be: code-general

Our apologies for this oversight. This is the first security notification issued for Slash in over two years, but one is too many, and we are reviewing our programming process to try to prevent this from happening again.

Private questions about these issues can be addressed to me on IRC (user "jamie" in #slash on or in email at; to notify us of additional security issues we may not be aware of, please email Thank you.

This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.