Concurrent Versions System (CVS) is used to manage code on a number of top open source software development projects.
Discovered by German security firm E-matters, the six holes could enable remote attackers to launch denial of service attacks or run malicious code on systems hosting vulnerable versions of CVS.
Already another hole was used by hackers to attack the CVS project Web site, and it was during a search of the code after that attack the other six vulnerabilities were found.
Some of the new vulnerabilities require a valid CVS login, while others can be exploited remote.
One CVS function called "double-free()" was used to exploit a number of systems running Linux.
The holes have been patched, but it does shake the complacency of Linux users. Some think they are almost invulnerable to the sorts of attacks suffered by Windows users. µ
Sign up for INQbot – a weekly roundup of the best from the INQ