View this email on mobile devices | View the online version

CVSNT 2.x SSH and SSERVER/SYNC protocols impacted by Security Advisories. Action Required by all customers.

CVSNT 2.x SSH, SSERVER and SYNC impacted by Putty and OpenSSL Security Advisories

March Hare Software CVS Suite (CVSNT) uses the PuTTY implementation of SSH and also the OpenSSL encryption libraries within the SSH, SSERVER and SYNC protocols which have known security vulnerabilities. Important security advisories related to this release:

CVE-2013-4208 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2015-2157 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2017-6542 discovered in in PuTTY [CVSS 2.0: High]
CVE-2013-4207 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2015-5309 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4206 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4852 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2004-1008 discovered in in PuTTY [CVSS 2.0: High]
CVE-2017-3738 discovered in in OpenSSL [Severity: Low]
CVE-2018-0739 discovered in in OpenSSL [Severity: Moderate]
CVE-2017-3738 discovered in in OpenSSL [Severity: Low]
CVE-2018-0737 discovered in in OpenSSL [Severity: Low]
CVE-2018-0732 discovered in in OpenSSL [Severity: Low]
CVE-2018-0735 discovered in in OpenSSL [Severity: Low]
CVE-2018-0734 discovered in in OpenSSL [Severity: Low]
CVE-2018-5407 discovered in in OpenSSL [Severity: Low]
CVE-2019-1543 discovered in in OpenSSL [Severity: Low]
CVE-2019-1552 discovered in in OpenSSL [Severity: Low]
CVE-2019-1547 discovered in in OpenSSL [Severity: Low]
CVE-2019-1549 discovered in in OpenSSL [Severity: Low]
CVE-2019-1563 discovered in in OpenSSL [Severity: Low]

More information is available at

Who is affected?
If you are using the SSH protocol (eg: cvs -d :ssh:hostname:/myrepo co mymodule), the SSERVER protocol (eg: cvs -d :sserver:hostname:/myrepo co mymodule) or SYNC protocol (within the sync trigger for repository replication) then your system is affected.

On windows operating systems the ssh_protocol.dll or protocols/ssh.dll contain links with PuTTY. The CVS Suite (CVSNT) installer includes a vulnerable copy of PuTTY PLINK library named plink.dll.

The sserver_protocol.dll, sync_protocol.dll, protocols/sync.dll or protocols/sserver.dll contain links with OpenSSL on all operating systems. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named ssleay32_vc71.dll and libeay32_vc71.dll or named ssleay32.dll and libeay32.dll.

If you are using the SSPI protocol (eg: cvs -d :sspi:hostname:/myrepo co mymodule), GSERVER protocol (eg: cvs -d :gserver:hostname:/myrepo co mymodule) or the insecure PSERVER protocol (eg: cvs -d :pserver:user@hostname:/myrepo co mymodule), then your system is NOT susceptible.

All versions of CVSNT 2.x are vulnerable if you are using the SSH, SSERVER or SYNC protocols. The only currently available workaround is to use an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.

Apply an update or disable the affected protocol(s) or uninstall the affected protocol(s)

On Mac, Linux and Unix - installing the Operating System Vendors OpenSSH and OpenSSL patches will resolve the issue for that server/PC.

On Windows (client and server) you will need to install an updated release of CVS Suite (CVSNT). This issue is addressed in CVS Suite 2009R2 Build 7272 and in a future update to CVS Suite 2010. Customers with an active software maintenance contract will be able to download the update from the customer area of the web site.

Release Notes
Connecting CVSNT clients to CVS or CVSNT servers on Linux/Unix running newer versions of OpenSSH is now possible because the latest release of the CVSNT client supports the 'new' chacha20-poly1305 cipher. Other changes include: fixes for WinCVS crashes, IntelliJ client support in extnt, documentation and more - the release notes detailing all changes since 2009-6977 are available. Release notes for changes since the last community edition and changes since CVS Suite 2008 are also available.

Support expired? No download in customer area?
If you purchased CVS Suite 2008 with a free upgrade to CVS Suite 2009 - that upgrade was in the customer downloads area from July 2010 onwards.

All customers can download the software they purchased for 120 days from the purchase date only. To get the latest updates, you need to purchase annual software maintenance and support (5 levels to choose from).

If you previously purchased annual maintenance and support, but it has has expired and you have not received an invoice for renewal, you can purchase online (support quantity must equal licensed quantity) and your download will be available within 48 hours. Alternatively you can email for a quote.

Download incomplete or slow?
With a popular new release, our servers can sometimes be a bit slow to provide downloads to thousands of customers at once. If your download fails, please retry later. If you are still having problems please e-mail us.

Forgot your password?
On the login page use the link labelled If you are not a registered customer or you have forgotten your password click here. Clicking will take you to a page with another link: Click here if you've forgotten your password. Enter your e-mail address, then click. A hint will be displayed (if one is set for your account). If this hint does not help you remember your password, click the link labelled click here and we will email you instructions to change your password.

Patch/Update schedule
If a customer has reported a problem that we diagnose as requiring an update/patch to the software, these patch releases are made available on a fortnightly cycle. No udpates will be made during August or January (summer & Christmas vacations). If updates are available they will be published on: February 14, 2020; February 28, 2020; March 13, 2020; March 27, 2020; April 10, 2020; April 24, 2020, May 8, 2020; May 22, 2020; June 5, 2020 etc.

Release Cycle Changes
We previously focused on releasing major updates, including announcing plans for CVS Suite 2.8.02 and 3.1.01. Customers have overwhelmingly told us that 'major' upgrades of this kind are difficult, and have urged us to reconsider a longer lifecycle for the product without major milestone upgrades. For this reason we have deliberately scaled back development of the major new releases in favour of incremental updates to the current release platform.

However on Windows the current 2.8.01 codeline is delivered using old compilers and dependant on old runtimes, so some customers are concerned about security vulnerabilities, performance and how long it can be supported effectively - so we have a new strategy that we think all customers will be happy with.

In 2020 we will continue to develop and release CVS Suite 2009R2, however we will begin releasing two options for windows customers: 'winxp/7/8/10' and 'new:win8/10' releases. The 'new:win8/10' releases will be built using a newer buildchain, but will be otherwise the exact same code/product. We will be encouraging all customers running Windows 8/10 or Server 2016/2019 to upgrade using the newer installers. Customers on oldver versions of windows will have access to the exact same software releases, but built using the old toolchain.

We are also in the process of releasing support for Ubuntu 14.04 LTS and 18.04 LTS, Red Hat 8 and SuSE 11/12.

In 2021 we will be again looking at the 2.8.02 product, which will only support newer operating systems.

Some of our integrations currently rely on 'old' versions of partner products (like Jira). Usually we only update these with 'new' releases of CVS Suite like 2.8.02 - however because of the extended lifetime of CVS Suite 2009R2 we are looking to try and update these within the 2009R2 lifecycle. If you have a particular requirement please discuss this with your technical account manager.

If you have any questions or concerns about this plan, please discuss them with your technical account manager or email

HPUX (Itanium and PA-RISC) and Solaris (Sparc)
Due to declining customer interest in these platforms we are no longer creating new builds and releases. We still retain the capability of suporting and releasing builds for these platforms, should a customer request it.

AIX (PowerPC), z/Linux (PowerPC) and other platforms
We have performed internal testing on several other platforms and are able to quickly deliver solutions for them. However at this time we are not planning on releasing builds for these platforms until a customer requests it through our 'pay for feature' programme.

The schedule
We announce today the planned release and support schedule for CVS Suite.

CVS Suite 2.5.03
CVS SuiteWindows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5Upgrade support to 2009R2.
CVS Suite x64SLES9Upgrade support to 2009R2.
CVS Suite x64HPUX and SolarisUpgrade support to 2008.

CVS Suite 2008 (CVSNT 2.5.03 SP2) build 3226 and later
CVS SuiteWindows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5Support ended December 2012
CVS Suite x64SLES9Support ended December 2012
CVS Suite x64HPUX (Itanium and PA-RISC) and Solaris (Sparc)Limited support

CVS Suite 2009R2 with high performance server
CVS SuiteWindows XP-Windows 10, Mac, Red Hat Enterprise Linux ES4/5/6/7Available now
CVS Suite x64SLES9 / UbuntuAvailable now
CVS Suite newWindows 8 & 10Estimate: Q3 2020
Plugin UpdateWindows 8 & 10, Mac, Red Hat Enterprise Linux 7/8Estimate: Q4 2020

CVS Suite 2.8.02 with new features
CVS SuiteWindows 8 & 10, Mac, Red Hat Enterprise Linux 7/8Estimate: Q1 2021
CVS Suite x64SLES11/12, UbuntuAvailable: TBA

CVS Suite 2.8.03 with Team View & Server Change Management
CVS SuiteWindows 8 & 10, Mac, Red Hat Enterprise Linux 7/8Available: TBA
CVS Suite x64SLES11/12, UbuntuAvailable: TBA

Support for other platforms available on request.

Other products
These products are also available now.

Automatic CVS silently track changes to files, eg: on a file server
CVS4SWindows XP-Windows 10, Windows Server 2003/2008/2012/2016/2019Available now

CM Suite single server for SVN, CVS and VSTS clients.
CM Suite 2008Windows and SQL Server 2005Available now

Case Sensitive NTFS case sensitive files on Windows
CVSCASEWindows XP-Windows 10, Windows Server 2003/2008/2012/2016/2019Available now

CVS for iSeries version RPG, Fortran and CL in IFS file systems
CVSISERIESP05OS/400 V5R1 to i5/OS 7.1Available now

UD6 & UD6 Option Pack Uniface 4GL Source Code Stored in Files
UD6For Uniface 6.1 to Uniface 10.3Available now

Since 1999 we have been supplying solutions to effectively manage change: to documents; to source code in text files, and Uniface projects. Today March Hare Software produce the most popular software tools for versioning in commercial software development and provide professional services worldwide. After just a couple of years on the market our commercial solutions CVS Suite and CM Suite have thousands of licensees.

The March Hare Team:
Thursday February 6th, 2020

| | |



If you are moving your repository to a new server, did you know our team can provide assistance: from free migration guidelines to a complete on site managed migration using our own specialist staff. Ask our sales team for more information about getting migration assistance.

Need Help?
Did you know we have a 24 hour a day support team located across Europe, North America and Australia? Access to support is quick and simple and a variety of service level agreements are available packaged together with software maintenance. Ask our sales team for more information about getting support.

Answers to Frequent Questions

Email ID: CVSSEC20_01
March Hare Software Limited. 85-87 Bayham Street, Camden Town NW1 0AG, United Kingdom Tel +44 (0)20 7692 0712
March Hare Software UG. Europadamm 4, 41460 Neuss, Germany Tel +44 (0)20 7692 0712
March Hare Software LLC. 200 Broadhollow Road ste 207, Melville NY, 11747, United States Tel +1 (800) 653 1501
March Hare Pty Ltd. Sydney, Australia Tel +61 (0)2 8212 4409

Copyright 2020 March Hare Software Limited. All rights reserved. UD6, UD6 Option Pack, CVSNT, EVS, EVSCM, CVS Suite and CM Suite are trademarks of March Hare Software Limited.

Thank you for choosing CVS Suite Version Control. Any information that you provide to March Hare Software will be treated in accordance with our Privacy Policy.

To UNSUBSCRIBE completely from March Hare Software communications, please email