CVSNT 2.x SSH, SSERVER and SYNC impacted by Putty and OpenSSL Security Advisories
March Hare Software CVS Suite (CVSNT) uses the PuTTY implementation of SSH and also the OpenSSL encryption libraries within the SSH, SSERVER and SYNC protocols which have known security vulnerabilities. Important security advisories related to this release:
CVE-2013-4208 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2015-2157 discovered in in PuTTY [CVSS 2.0: Low]
CVE-2017-6542 discovered in in PuTTY [CVSS 2.0: High]
CVE-2013-4207 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2015-5309 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4206 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2013-4852 discovered in in PuTTY [CVSS 2.0: Medium]
CVE-2004-1008 discovered in in PuTTY [CVSS 2.0: High]
CVE-2017-3738 discovered in in OpenSSL [Severity: Low]
CVE-2018-0739 discovered in in OpenSSL [Severity: Moderate]
CVE-2017-3738 discovered in in OpenSSL [Severity: Low]
CVE-2018-0737 discovered in in OpenSSL [Severity: Low]
CVE-2018-0732 discovered in in OpenSSL [Severity: Low]
CVE-2018-0735 discovered in in OpenSSL [Severity: Low]
CVE-2018-0734 discovered in in OpenSSL [Severity: Low]
CVE-2018-5407 discovered in in OpenSSL [Severity: Low]
CVE-2019-1543 discovered in in OpenSSL [Severity: Low]
CVE-2019-1552 discovered in in OpenSSL [Severity: Low]
CVE-2019-1547 discovered in in OpenSSL [Severity: Low]
CVE-2019-1549 discovered in in OpenSSL [Severity: Low]
CVE-2019-1563 discovered in in OpenSSL [Severity: Low]
More information is available at
https://www.march-hare.com/cvspro/security.htm
Who is affected?
If you are using the SSH protocol (eg: cvs -d :ssh:hostname:/myrepo co mymodule), the SSERVER protocol (eg: cvs -d :sserver:hostname:/myrepo co mymodule) or SYNC protocol (within the sync trigger for repository replication) then your system is affected.
On windows operating systems the ssh_protocol.dll or protocols/ssh.dll contain links with PuTTY. The CVS Suite (CVSNT) installer includes a vulnerable copy of PuTTY PLINK library named plink.dll.
The sserver_protocol.dll, sync_protocol.dll, protocols/sync.dll or protocols/sserver.dll contain links with OpenSSL on all operating systems. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named ssleay32_vc71.dll and libeay32_vc71.dll or named ssleay32.dll and libeay32.dll.
If you are using the SSPI protocol (eg: cvs -d :sspi:hostname:/myrepo co mymodule), GSERVER protocol (eg: cvs -d :gserver:hostname:/myrepo co mymodule) or the insecure PSERVER protocol (eg: cvs -d :pserver:user@hostname:/myrepo co mymodule), then your system is NOT susceptible.
All versions of CVSNT 2.x are vulnerable if you are using the SSH, SSERVER or SYNC protocols. The only currently available workaround is to use an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.
Solution
Apply an update or disable the affected protocol(s) or uninstall the affected protocol(s)
On Mac, Linux and Unix - installing the Operating System Vendors OpenSSH and OpenSSL patches will resolve the issue for that server/PC.
On Windows (client and server) you will need to install an updated release of CVS Suite (CVSNT). This issue is addressed in CVS Suite 2009R2 Build 7272 and in a future update to CVS Suite 2010. Customers with an active software maintenance contract will be able to download the update from the customer area of the march-hare.com web site.
Release Notes
Connecting CVSNT clients to CVS or CVSNT servers on Linux/Unix running newer versions of OpenSSH is now possible because the latest release of the CVSNT client supports the 'new' chacha20-poly1305 cipher. Other changes include: fixes for WinCVS crashes, IntelliJ client support in extnt, documentation and more - the release notes detailing all changes since 2009-6977 are available. Release notes for changes since the last community edition 2.5.03.2382 and changes since CVS Suite 2008 are also available.
Support expired? No download in customer area?
If you purchased CVS Suite 2008 with a free upgrade to CVS Suite 2009 - that upgrade was in the customer downloads area from July 2010 onwards.
All customers can download the software they purchased for 120 days from the purchase date only. To get the latest updates, you need to purchase annual software maintenance and support (5 levels to choose from).
If you previously purchased annual maintenance and support, but it has has expired and you have not received an invoice for renewal, you can purchase online (support quantity must equal licensed quantity) and your download will be available within 48 hours. Alternatively you can email sales@march-hare.com for a quote.
Download incomplete or slow?
With a popular new release, our servers can sometimes be a bit slow to provide downloads to thousands of customers at once. If your download fails, please retry later. If you are still having problems please e-mail us.
Forgot your password?
On the login page use the link labelled If you are not a registered customer or you have forgotten your password click here. Clicking will take you to a page with another link: Click here if you've forgotten your password. Enter your e-mail address, then click. A hint will be displayed (if one is set for your account). If this hint does not help you remember your password, click the link labelled click here and we will email you instructions to change your password.
Patch/Update schedule
If a customer has reported a problem that we diagnose as requiring an update/patch to the software, these patch releases are made available on a fortnightly cycle. No udpates will be made during August or January (summer & Christmas vacations). If updates are available they will be published on: February 14, 2020; February 28, 2020; March 13, 2020; March 27, 2020; April 10, 2020; April 24, 2020, May 8, 2020; May 22, 2020; June 5, 2020 etc.
Release Cycle Changes
We previously focused on releasing major updates, including announcing plans for CVS Suite 2.8.02 and 3.1.01. Customers have overwhelmingly told us that 'major' upgrades of this kind are difficult, and have urged us to reconsider a longer lifecycle for the product without major milestone upgrades. For this reason we have deliberately scaled back development of the major new releases in favour of incremental updates to the current release platform.
However on Windows the current 2.8.01 codeline is delivered using old compilers and dependant on old runtimes, so some customers are concerned about security vulnerabilities, performance and how long it can be supported effectively - so we have a new strategy that we think all customers will be happy with.
In 2020 we will continue to develop and release CVS Suite 2009R2, however we will begin releasing two options for windows customers: 'winxp/7/8/10' and 'new:win8/10' releases. The 'new:win8/10' releases will be built using a newer buildchain, but will be otherwise the exact same code/product. We will be encouraging all customers running Windows 8/10 or Server 2016/2019 to upgrade using the newer installers. Customers on oldver versions of windows will have access to the exact same software releases, but built using the old toolchain.
We are also in the process of releasing support for Ubuntu 14.04 LTS and 18.04 LTS, Red Hat 8 and SuSE 11/12.
In 2021 we will be again looking at the 2.8.02 product, which will only support newer operating systems.
Some of our integrations currently rely on 'old' versions of partner products (like Jira). Usually we only update these with 'new' releases of CVS Suite like 2.8.02 - however because of the extended lifetime of CVS Suite 2009R2 we are looking to try and update these within the 2009R2 lifecycle. If you have a particular requirement please discuss this with your technical account manager.
If you have any questions or concerns about this plan, please discuss them with your technical account manager or email sales@march-hare.com.
HPUX (Itanium and PA-RISC) and Solaris (Sparc)
Due to declining customer interest in these platforms we are no longer creating new builds and releases. We still retain the capability of suporting and releasing builds for these platforms, should a customer request it.
AIX (PowerPC), z/Linux (PowerPC) and other platforms
We have performed internal testing on several other platforms and are able to quickly deliver solutions for them. However at this time we are not planning on releasing builds for these platforms until a customer requests it through our 'pay for feature' programme.
The schedule
We announce today the planned release and support schedule for CVS Suite.
|
| CVS Suite 2.5.03 |
| CVS Suite | Windows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5 | Upgrade support to 2009R2. |
| CVS Suite x64 | SLES9 | Upgrade support to 2009R2. |
| CVS Suite x64 | HPUX and Solaris | Upgrade support to 2008. |
|
| CVS Suite 2008 (CVSNT 2.5.03 SP2) build 3226 and later |
| CVS Suite | Windows 2000-Windows 7, Mac, Red Hat Enterprise Linux ES4/5 | Support ended December 2012 |
| CVS Suite x64 | SLES9 | Support ended December 2012 |
| CVS Suite x64 | HPUX (Itanium and PA-RISC) and Solaris (Sparc) | Limited support |
|
| CVS Suite 2009R2 with high performance server |
| CVS Suite | Windows XP-Windows 10, Mac, Red Hat Enterprise Linux ES4/5/6/7 | Available now |
| CVS Suite x64 | SLES9 / Ubuntu | Available now |
| CVS Suite new | Windows 8 & 10 | Estimate: Q3 2020 |
| Plugin Update | Windows 8 & 10, Mac, Red Hat Enterprise Linux 7/8 | Estimate: Q4 2020 |
|
| CVS Suite 2.8.02 with new features |
| CVS Suite | Windows 8 & 10, Mac, Red Hat Enterprise Linux 7/8 | Estimate: Q1 2021 |
| CVS Suite x64 | SLES11/12, Ubuntu | Available: TBA |
|
| CVS Suite 2.8.03 with Team View & Server Change Management |
| CVS Suite | Windows 8 & 10, Mac, Red Hat Enterprise Linux 7/8 | Available: TBA |
| CVS Suite x64 | SLES11/12, Ubuntu | Available: TBA |
|
| Support for other platforms available on request. |
Other products
These products are also available now.
|
| Automatic CVS silently track changes to files, eg: on a file server |
| CVS4S | Windows XP-Windows 10, Windows Server 2003/2008/2012/2016/2019 | Available now |
|
| CM Suite single server for SVN, CVS and VSTS clients. |
| CM Suite 2008 | Windows and SQL Server 2005 | Available now |
|
| Case Sensitive NTFS case sensitive files on Windows |
| CVSCASE | Windows XP-Windows 10, Windows Server 2003/2008/2012/2016/2019 | Available now |
|
| CVS for iSeries version RPG, Fortran and CL in IFS file systems |
| CVSISERIESP05 | OS/400 V5R1 to i5/OS 7.1 | Available now |
|
| UD6 & UD6 Option Pack Uniface 4GL Source Code Stored in Files |
| UD6 | For Uniface 6.1 to Uniface 10.3 | Available now |
|
Since 1999 we have been supplying solutions to effectively manage change: to documents; to source code in text files, and Uniface projects. Today March Hare Software produce the most popular software tools for versioning in commercial software development and provide professional services worldwide. After just a couple of years on the market our commercial solutions CVS Suite and CM Suite have thousands of licensees.
Sincerely,
The March Hare Team:
Thursday February 6th, 2020
 |
 |
 |
|
