LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Pardus alert 2011-109 (subversion)



From:
    	      Meltem Parmaksız <meltem@pardus.org.tr> 


To:
    	      pardus-security@pardus.org.tr 


Subject:
    	      [Pardus-security] [PLSA 2011-109] Subversion: Multible
	Vulnerabilities 


Date:
    	      Mon, 5 Sep 2011 14:52:46 +0300


Message-ID:
    	      <201109051452.47049.meltem@pardus.org.tr>


Archive-link:
    	      Article, Thread
              


------------------------------------------------------------------------
Pardus Linux Security Advisory 2011-109           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2011-09-05
      Type: Remote
------------------------------------------------------------------------

Summary
=======

Multiple vulnerabilties have been fixed in subversion. 


Description
===========

CVE-2011-1752 : 

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in 
Apache Subversion before 1.6.17, allows remote  attackers  to  cause  a 
denial of service (NULL pointer dereference and  daemon  crash)  via  a 
request for a baselined 

WebDAV resource, as exploited in the wild in May 2011. 



CVE-2011-1783 : 

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in 
Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the  SVNPathAuthz 
short_circuit option is enabled, allows remote  attackers  to  cause  a 
denial of service 

(infinite loop and memory consumption) in opportunistic circumstances by
requesting data. 



CVE-2011-1921 : 

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in 
Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the  SVNPathAuthz 
short_circuit option is disabled, does not properly enforce permissions 
for files that had 

been publicly readable in the past, which allows  remote  attackers  to 
obtain sensitive information via a replay REPORT operation. 


Affected packages:

  Pardus 2009:
    subversion, all before 1.6.15-62-22
  Pardus 2011:
    subversion, all before 1.6.17-68-p11


Resolution
==========

There are update(s) for subversion. You can  update  them  via  Package 
Manager or with a single command from console: 

  Pardus 2009:
    pisi up subversion

  Pardus 2011:
    pisi up subversion


References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=18846

------------------------------------------------------------------------

_______________________________________________
Pardus-Security mailing list
Pardus-Security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds