View this email on mobile devices | View the online version

CVSNT 2.x ZLIB and SSERVER/SYNC protocols impacted by Security Advisories. Action Required by all customers.

CVSNT 2.x Client & Server, SSERVER and SYNC impacted by ZLIB and OpenSSL Security Advisories

March Hare Software CVS Suite (CVSNT) uses the ZLIB library in CVSNT Client and Server, and also the OpenSSL encryption libraries within SSERVER and SYNC protocols which have known security vulnerabilities. Important security advisories related to this release:

CVE-2018-25032 discovered in in ZLIB [CVSS 2.0: Medium]
CVE-2022-0778 discovered in in OpenSSL [Severity: High]
CVE-2021-4160 discovered in in OpenSSL [Severity: Moderate]
CVE-2021-3711 discovered in in OpenSSL [Severity: High]
CVE-2021-3450 discovered in in OpenSSL [Severity: High]
CVE-2021-23841 discovered in in OpenSSL [Severity: Moderate]
CVE-2020-1971 discovered in in OpenSSL [Severity: High]
CVE-2020-1967 discovered in in OpenSSL [Severity: High]
CVE-2019-1551 discovered in in OpenSSL [Severity: Low]

More information is available at

Who is affected?
Windows, MacOS, Linux. Unix, OS/400 and z/Linux customers are affected.

If you are using Linux with the CVS Suite -rhel5- or -rhel7- packages then your system vendor will provide updates to resolve these security issues by updating the shared libraries. Contact your linux vendor for updates. You do NOT have to upgrade CVS Suite.

If you are using Ubuntu or SLES Linux with the CVS Suite x64 -sl9- or .deb.gz packages then your system vendor will provide updates to resolve these security issues by updating the shared libraries. Contact your linux vendor for updates. You do NOT have to upgrade CVS Suite.

On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable copy of ZLIB library statically linked to the file named cvsnt.exe and the sserver_protocol.dll, sync_protocol.dll, protocols/sync.dll or protocols/sserver.dll contain links with OpenSSL. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named ssleay32_vc71.dll and libeay32_vc71.dll.

The only currently available workaround is to use cvs -z0 and an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.

Solution - Apply an Update

On Unix and Linux (except the -rh9- package) - installing the Operating System vendor's ZLIB and OpenSSL patches will resolve the issue for that server/PC.

On Windows (client and server) you will need to install an updated release of CVS Suite (CVSNT). This issue is addressed in CVS Suite 2009R2 Build 8078 and CVS Suite 2010 Build 8078. Customers with an active software maintenance contract will be able to download the update from the customer area of the web site.

Release Notes
CVS Suite 2009-8078 also includes improvements to the eBook documentation and more - the release notes detailing all changes since 2009-7272 are available. Release notes for changes since the last community edition and changes since CVS Suite 2008 are also available.

Support expired? No download in customer area?
If you purchased CVS Suite 2008 with a free upgrade to CVS Suite 2009 - that upgrade was in the customer downloads area from July 2010 onwards.

All customers can download the software they purchased for 120 days from the purchase date only. To get the latest updates, you need to purchase annual software maintenance and support (5 levels to choose from).

If you previously purchased annual maintenance and support, but it has expired and you have not received an invoice for renewal, you can email for a quote.

Purchase/Renew Online (web store) and PayPal
In May 2021 our old cloud based web store vendor unexpectedly announced that our 'product level' would not entitle us to the latest credit card / PCI compliance, which suddenly prevented us from accepting any credit card payments. They offered to 'upgrade' us to a higher level if we paid significantly more annually (several hundred percent more). We decided that this was not a good use of the money you pay us to maintain CVS Suite. So we decided to take advantage of the opportunity to bring the web store 'in house'. During the period the web store is unavailable, we are taking payment by PayPal. Just email for a PayPal invoice. We expect our new online store to be back later this month.

Renewal Notices
The system we use for quotations, invoices and renewal notices was tied closely with our online store. Unfortunately this upgrade has taken an extended period to complete which has affected our ability to send automated renewal notices when your maintenance expires. We sincerely apologise for any inconvenience this has caused. Please email for a quote or invoice if our manual process has missed you.

Forgot your customer area password?
On the login page use the link labelled Forgot your password?. Enter your e-mail address, then click send email. As part of our migration to a customer identity management system all customer passwords were reset on June 22, 2021.

Patch/Update schedule
If a customer has reported a problem that we diagnose as requiring an update/patch to the software, these patch releases are made available on a fortnightly cycle. No udpates will be made during August or January (summer & Christmas vacations). If updates are available they will be published on: May 20, 2022; June 3, 2022; June 17, 2022; July 1, 2022; July 15, 2022; September 23, 2022, October 7, 2022; October 21, 2022; November 4, 2022 etc.

Release Cycle Changes
On 6th February 2020 we announced a release plan for major updates to CVS Suite. Within four weeks the global impacts of the COVID-19 pandemic were being felt and customers were asking us not to make such large changes during a period of great uncertainty. We therefore focussed on updating internal systems (see above) and put these plans on hold. Once our internal system upgrades are complete, we will once again proceed with our plans for major software updates.

We will continue to develop and release CVS Suite 2009R2, however later in 2022 we will begin releasing two options for windows customers: 'winxp/7/8/10' and 'new:win10/11' releases. The 'new:win10/11' releases will be built using a newer buildchain, but will be otherwise the exact same code/product. We will be encouraging all customers running Windows 10/11 or Server 2016/2019/2022 to upgrade using the newer installers. Customers on older versions of windows will have access to the exact same software releases, but built using the old toolchain.

We are releasing support for Ubuntu 14.04 LTS and 18.04 LTS in 2022.

Later in 2022 we will be again looking at the 2.8.02 product, which will only support newer operating systems like Windows 10/11, Windows Server 2016-2022, Red Hat 8 and SuSE 11/12.

Some of our integrations currently rely on 'old' versions of partner products (like Jira). Usually we only update these with 'new' releases of CVS Suite like 2.8.02 - however because of the extended lifetime of CVS Suite 2009R2 we are looking to try and update these within the 2009R2 lifecycle. If you have a particular requirement please discuss this with your technical account manager.

If you have any questions or concerns about this plan, please discuss them with your technical account manager or email

HPUX (Itanium and PA-RISC) and Solaris (Sparc)
Due to declining customer interest in these platforms we are no longer creating new builds and releases. We still retain the capability of suporting and releasing builds for these platforms, should a customer request it.

AIX (PowerPC), z/Linux (PowerPC) and other platforms
We have performed internal testing on several other platforms and are able to quickly deliver solutions for them. However at this time we are not planning on releasing builds for these platforms until a customer requests it through our 'pay for feature' programme.

The schedule
We announce today the planned release and support schedule for CVS Suite.

CVS Suite 2009R2 with high performance server
CVS SuiteWindows XP-Windows 10(11*), Mac, Red Hat Enterprise Linux ES4/5/6/7Available now
CVS Suite x64SLES9 / UbuntuAvailable now
CVS Suite newWindows 10 & 11Estimate: Q4 2022
Plugin UpdateWindows 10 & 11, Mac, Red Hat Enterprise Linux 7/8Estimate: Q1 2023

CVS Suite 2.8.02 with new features
CVS SuiteWindows 10 & 11, Mac, Red Hat Enterprise Linux 7/8Estimate: Q2 2023
CVS Suite x64SLES11/12, UbuntuAvailable: TBA

CVS Suite 2.8.03 with Team View & Server Change Management
CVS SuiteWindows 10 & 11, Mac, Red Hat Enterprise Linux 7/8Available: TBA
CVS Suite x64SLES11/12, UbuntuAvailable: TBA

Support for other platforms available on request.
note *: we have not tested this release on Windows 11, however Microsoft have informed us that our Windows 10 release should be compatible. If you encounter specific problems with Windows 11 please contact us.

Other products
These products are also available now.

Automatic CVS silently track changes to files, eg: on a file server
CVS4SWindows XP-Windows 11, Windows Server 2003/2008/2012/2016/2019/2022Available now

CM Suite single server for SVN, CVS and VSTS clients.
CM Suite 2008Windows and SQL Server 2005Available now

Case Sensitive NTFS case sensitive files on Windows
CVSCASEWindows XP-Windows 11, Windows Server 2003/2008/2012/2016/2019/2022Available now

CVS for iSeries version RPG, Fortran and CL in IFS file systems
CVSISERIESP05OS/400 V5R1 to i5/OS 7.1Available now

UD6 & UD6 Option Pack Uniface 4GL Source Code Stored in Files
UD6For Uniface 6.1 to Uniface 10.3 (10.4 coming soon)Available now

Retired products

CVS Suite 2.5.03
CVS SuiteWindows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5Upgrade support to 2009R2.
CVS Suite x64SLES9Upgrade support to 2009R2.
CVS Suite x64HPUX and SolarisUpgrade support to 2008.

CVS Suite 2008 (CVSNT 2.5.03 SP2) build 3226 and later
CVS SuiteWindows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5Support ended December 2012
CVS Suite x64SLES9Support ended December 2012
CVS Suite x64HPUX (Itanium and PA-RISC) and Solaris (Sparc)Limited support

Since 1999 we have been supplying solutions to effectively manage change: to documents; to source code in text files, and Uniface projects. Today March Hare Software produce the most popular software tools for versioning in commercial software development and provide professional services worldwide. CVS Suite and CM Suite took only a couple of years to establish thousands of licensees. Every year we continue to maintain thousands of customers and add new licensees.

The March Hare Team:
Thursday May 9th, 2022

| | |



If you are moving your repository to a new server, did you know our team can provide assistance: from free migration guidelines to a complete on site managed migration using our own specialist staff. Ask our sales team for more information about getting migration assistance.

Need Help?
Did you know we have a 24 hour a day support team located across Europe, North America and Australia? Access to support is quick and simple and a variety of service level agreements are available packaged together with software maintenance. Ask our sales team for more information about getting support.

Answers to Frequent Questions

Email ID: CVSSEC22_01
March Hare Software UG. Europadamm 4, 41460 Neuss, Germany Tel +49 (0) 2131 5952927
March Hare Software Limited. 85-87 Bayham Street, Camden Town NW1 0AG, United Kingdom Tel +44 (0)20 7692 0712
March Hare Software LLC. 200 Broadhollow Road ste 207, Melville NY, 11747, United States Tel +1 (800) 653 1501
March Hare Pty Ltd. Sydney, Australia Tel +61 (0)2 8212 4409

Copyright 2022 March Hare Software UG. All rights reserved. UD6, UD6 Option Pack, CVSNT, EVS, EVSCM, CVS Suite and CM Suite are trademarks of March Hare Software Limited.

Thank you for choosing CVS Suite Version Control. Any information that you provide to March Hare Software will be treated in accordance with our Privacy Policy.

To UNSUBSCRIBE completely from March Hare Software communications, please email

This email was sent by March Hare Software UG (haftungsbeschränkt), USt-ldNr. DE322774869, Europadamm 4, 41460 Neuss, Deutschland. Make sure you add to your address book and safe list.
You have received this email as this is a service announcement and not a promotional email. If you need any further information feel free to call us on +49 (0) 2131 5952927.
If you have an enquiry about why you received this email, please see our full Privacy Policy.
Need help? Check out our Documentation Library or our Handy FAQ.

CAUTION: This email and files included in its transmission are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us immediately and delete it without copying the contents contained within. March Hare Software UG (including its group of companies) do not accept liability for the views expressed within or the consequences of any computer viruses that may be transmitted with this email. The contents are also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.