-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 24 January 2005 06:45 pm, Bart Garst wrote:
>
> Do I understand correctly that the attack would be directed at a server
> that has remote access (via pserver mechanism - sourceforge for
> example), but not towards a remote user?

When downloading files from the www.cvshome.org web site, more data comes in 
the download than documented on the site.  ie. The files are larger than they 
should be.  The fear is that someone may be changing the binary downloads to 
include a payload of unkown intent.

There is no vulnerability of CVS servers or clients involved.  The cvshome.org 
web site may have been breached.

They are investigating further.

All the details that I know are in the info-cvs list archive starting with 
this message: 
http://lists.gnu.org/archive/html/info-cvs/2005-01/msg00259.html

Alan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB9bu/0VxxIfjPXe4RAupsAJ9+1CoeyeZPmLufP0YQ4D3Vtx1LbQCgkx8G
wLOUHhwV6YnQNvq2Nw41uto=
=ELTi
-----END PGP SIGNATURE-----
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss