CVS prior to 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.
Two vulnerabilities have been discovered and fixed in CVS:
CAN-2004-0180
Sebastian Krahmer discovered a vulnerability whereby
a malicious CVS pserver could create arbitrary files on the client
system during an update or checkout operation, by supplying absolute
pathnames in RCS diffs
CAN-2004-0405
Derek Robert Price discovered a vulnerabilit ...