|
|
Subscribe / Log in / New account

Scientific Linux alert SLSA-2015:1742-1 (subversion)



From:
    	      Pat Riehecky <riehecky@fnal.gov> 


To:
    	      <scientific-linux-errata@listserv.fnal.gov> 


Subject:
    	      Security ERRATA Moderate: subversion on SL7.x x86_64 


Date:
    	      Tue, 8 Sep 2015 16:18:56 +0000


Message-ID:
    	      <20150908161856.9797.65770@slpackages.fnal.gov>


Synopsis:          Moderate: subversion security update
Advisory ID:       SLSA-2015:1742-1
Issue Date:        2015-09-08
CVE Numbers:       CVE-2015-0248
                   CVE-2015-0251
                   CVE-2015-3187
                   CVE-2015-3184
--

An assertion failure flaw was found in the way the SVN server processed
certain requests with dynamically evaluated revision numbers. A remote
attacker could use this flaw to cause the SVN server (both svnserve and
httpd with the mod_dav_svn module) to crash. (CVE-2015-0248)

It was found that the mod_authz_svn module did not properly restrict
anonymous access to Subversion repositories under certain configurations
when used with Apache httpd 2.4.x. This could allow a user to anonymously
access files in a Subversion repository, which should only be accessible
to authenticated users. (CVE-2015-3184)

It was found that the mod_dav_svn module did not properly validate the
svn:author property of certain requests. An attacker able to create new
revisions could use this flaw to spoof the svn:author property.
(CVE-2015-0251)

It was found that when an SVN server (both svnserve and httpd with the
mod_dav_svn module) searched the history of a file or a directory, it
would disclose its location in the repository if that file or directory
was not readable (for example, if it had been moved). (CVE-2015-3187)

After installing the updated packages, for the update to take effect, you
must restart the httpd daemon, if you are using mod_dav_svn, and the
svnserve daemon, if you are serving Subversion repositories via the svn://
protocol.
--

SL7
  x86_64
    mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-1.7.14-7.el7_1.1.i686.rpm
    subversion-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm
    subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-devel-1.7.14-7.el7_1.1.i686.rpm
    subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-gnome-1.7.14-7.el7_1.1.i686.rpm
    subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-javahl-1.7.14-7.el7_1.1.i686.rpm
    subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-kde-1.7.14-7.el7_1.1.i686.rpm
    subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-libs-1.7.14-7.el7_1.1.i686.rpm
    subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-perl-1.7.14-7.el7_1.1.i686.rpm
    subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-python-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-ruby-1.7.14-7.el7_1.1.i686.rpm
    subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm
    subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm

- Scientific Linux Development Team
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds