GLSA-200407-20 : Subversion: Vulnerability in mod_authz_svn

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200407-20
(Subversion: Vulnerability in mod_authz_svn)

Users with write access to part of a Subversion repository may bypass
read restrictions on any part of that repository. This can be done
using an 'svn copy' command to copy the portion of a repository the
user wishes to read into an area where they have write access.
Since copies are versioned, any such copy attempts will be readily
apparent.

Impact :

This is a low-risk vulnerability. It affects only users of Subversion
who are running servers inside Apache and using mod_authz_svn.
Additionally, this vulnerability may be exploited only by users with
write access to some portion of a repository.

Workaround :

Keep sensitive content separated into different Subversion
repositories, or disable the Apache Subversion server and use svnserve
instead.

See also :

http://svn.apache.org/repos/asf/subversion/branches/1.0.x/CHANGES
http://www.gentoo.org/security/en/glsa/glsa-200407-20.xml

Solution :

All Subversion users should upgrade to the latest available version:
# emerge sync
# emerge -pv '>=dev-util/subversion-1.0.6'
# emerve '>=dev-util/subversion-1.0.6'

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14553 (gentoo_GLSA-200407-20.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1438