Mageia alert MGASA-2013-0275 (subversion) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2013-0275: Updated subversion package fixes security vulnerability. 
Date:
    	       Fri, 13 Sep 2013 22:14:13 +0200
Message-ID:
    	       <20130913201413.A20EE489B8@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2013-0275 - Updated subversion package fixes security vulnerability.

Publication date: 13 Sep 2013
URL: http://advisories.mageia.org/MGASA-2013-0275.html
Type: security
Affected Mageia releases: 2, 3
CVE: CVE-2013-4277

Description:
svnserve takes a --pid-file option which creates a file containing the
process id it is running as. It does not take steps to ensure that the
file it has been directed at is not a symlink. If the pid file is in a
directory writeable by unprivileged users, the destination could be
replaced by a symlink allowing for   privilege escalation. svnserve
does not create a pid file by default (CVE-2013-4277).

References:
- https://bugs.mageia.org/show_bug.cgi?id=11207
- http://subversion.apache.org/security/CVE-2013-4277-advis...
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4277

SRPMS:
- 3/core/subversion-1.7.13-1.mga3
- 2/core/subversion-1.7.13-1.mga2
(Log in to post comments)