Gentoo Linux Security Advisory 201709-17 - A command injection vulnerability in CVS may allow remote attackers to execute arbitrary code. Versions less than 1.12.12-r12 are affected.
78f216f749a83a59358d93b2407ec3478ef2da3649ff8b7511fbd25def623d28
Ubuntu Security Notice 3399-1 - Hank Leininger discovered that cvs did not properly handle SSH for remote repositories. A remote attacker could use this to construct a cvs repository that when accessed could run arbitrary code with the privileges of the user.
e23e4f58ae7a4fb2abde5c65507b1ea997de4d014bc53813f98e38b53a87c713