I just installed cvs-1.11.1p1-8.7 on openacs.org. This version of CVS fixes a vulnerability I had just read about on Red Hat's security bulletin:
"CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server."
"On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server."
-Roberto