Forum OpenACS Q&A: New CVS Packages fix vulnerability
"CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server."
"On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server."