[v2.6] subversion: remote DoS (CVE-2013-4505 CVE-2013-4558 CVE-2014-0032)
CVE-2013-4505:
The is_this_legal function in mod_dontdothat for Apache Subversion
1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to
bypass intended access restrictions and possibly cause a denial of
service (resource consumption) via a relative URL in a REPORT request.
•CONFIRM:
http://subversion.apache.org/security/CVE-2013-4505-advisory.txt
•SUSE:openSUSE-SU-2013:1836
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html
•SUSE:openSUSE-SU-2013:1860
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html
•OSVDB:100364
•URL: http://osvdb.org/100364
•SECUNIA:55855
•URL: http://secunia.com/advisories/55855
CVE-2013-4558:
The get_parent_resource function in repos.c in mod_dav_svn Apache
HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1
through 1.8.4, when built with assertions enabled and SVNAutoversioning
is enabled, allows remote attackers to cause a denial of service
(assertion failure and Apache process abort) via a non-canonical URL in
a request, as demonstrated using a trailing /.
•CONFIRM:
http://subversion.apache.org/security/CVE-2013-4558-advisory.txt
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1033431
•SUSE:openSUSE-SU-2013:1836
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html
•SUSE:openSUSE-SU-2013:1860
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html
•OSVDB:100363
•URL: http://osvdb.org/100363
CVE-2014-0032:
The get_resource function in repos.c in the mod_dav_svn module in
Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when
SVNListParentPath is enabled, allows remote attackers to cause a denial
of service (crash) via vectors related to the server root and request
methods other than GET, as demonstrated by the “svn ls
http://svn.example.com” command.
•MLIST:[subversion-dev] 20140110 2 Re: Segfault in mod_dav_svn with
repositories on /
•URL:
http://mail-archives.apache.org/mod\_mbox/subversion-dev/201401.mbox/%3C52D328AB.8090502@reser.org%3E
•MLIST:[subversion-dev] 20140110 Re: Segfault in mod_dav_svn with
repositories on /
•URL:
http://mail-archives.apache.org/mod\_mbox/subversion-dev/201401.mbox/%3C871u0gqb0d.fsf@ntlworld.com%3E
•MLIST:[subversion-dev] 20140110 Sin mod_dav_svn with repositories
on /
•URL:
http://mail-archives.apache.org/mod\_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6\_wNzhEf7pWM=NiavGcobqvUuyhKyAA@mail.gmail.com%3E
•CONFIRM:
http://svn.apache.org/repos/asf/subversion/tags/1.7.15/CHANGES
•CONFIRM:
http://svn.apache.org/repos/asf/subversion/tags/1.8.6/CHANGES
•CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1557320
•BID:65434
•URL: http://www.securityfocus.com/bid/65434
•OSVDB:102927
•URL: http://www.osvdb.org/102927
•SECUNIA:56822
•URL: http://secunia.com/advisories/56822
•XF:apache-subversion-cve20140032-dos(90986)
•URL: http://xforce.iss.net/xforce/xfdb/90986
(from redmine: issue id 2742, created on 2014-03-05, closed on 2014-03-13)
- Relations:
- parent #2739 (closed)
- Changesets:
- Revision 48505d95 by Natanael Copa on 2014-03-13T10:35:27Z:
main/subversion: security upgrade to 1.7.16 (CVE-2013-4505,CVE-2013-4558,CVE-2014-0032)
fixes #2742