Slashcode Log In
Security Advisory for CVS Slash
We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).
Normally we do not make security announcements for CVS code, because when we have found them in the past, the issues were extremely small and/or fixed within days. This one has been around for a long time, though, and affects many of the R_ tags which we have been recommending sites use, so we're publicly urging site admins to upgrade. (As you know, R_ tags in CVS are ones which we consider relatively stable, while T_ tags should be used primarily for testing.)
This issue was found by Michael Krax <http://www.mikx.de/>, who we understand is working on publishing the details of the vulnerability soon. We hope that motivates you to upgrade your sites immediately. We thank Mr. Krax for working with us by reporting this vulnerability to us in a responsible manner.
In about a week, in any case, we will make the details public ourselves and offer a patch which will allow you to secure your sites without performing a full upgrade to R_2_5_0_41.
If you are using CVS code from June 2004 or earlier -- the x_2_3_* tags -- please note that upgrading from a x_2_3_* tag to an x_2_5_* tag is nontrivial. What you'll want to do is
cvs update -r T_2_5_0_4 -dP
and then apply the upgrades file in the normal fashion, including running utils/convertDBto200406 where it says to do so. Then
cvs update -r R_2_5_0_41 -dP
and continue applying the rest of the upgrades file.
Any questions about the upgrade process can be posted here, on this slashcode.com story, or can be asked in the channel #slash on irc.slashnet.org. We'll make a solid effort to help anyone upgrade who needs to.
However, for security reasons, we cannot reveal more details about the issue until next week, when all sites have had a chance to upgrade. Watch this website next week for full disclosure. (If you haven't already, you may want to create a user on slashcode.com and set it up to email you the daily headlines.) And if you run a Slash site and aren't already subscribed to the slashcode-general mailing list, you should be:
Our apologies for this oversight. This is the first security notification issued for Slash in over two years, but one is too many, and we are reviewing our programming process to try to prevent this from happening again.
Private questions about these issues can be addressed to me on IRC (user "jamie" in #slash on irc.slashnet.org) or in email at firstname.lastname@example.org; to notify us of additional security issues we may not be aware of, please email email@example.com. Thank you.