[3.2] subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// (CVE-2016-8734)
Subversion’s mod_dontdothat module and clients using http(s):// are
vulnerable to a denial-of-service attack caused by exponential
XML entity expansion. The attack, otherwise known as the “billion laughs
attack”, targets XML parsers and can cause the targeted process
to consume an excessive amount of CPU resources or memory.
Fixed In Version:
subversion 1.8.17, subversion 1.9.5
Reference:
https://subversion.apache.org/security/CVE-2016-8734-advisory.txt
(from redmine: issue id 6650, created on 2017-01-09, closed on 2017-01-16)
- Relations:
- parent #6647 (closed)
- Changesets:
- Revision b8487132 by Natanael Copa on 2017-01-13T09:54:32Z:
main/subversion: security upgrade to 1.8.17 (CVE-2016-8734)
fixes #6650