GLSA-200409-35 : Subversion: Metadata information leak

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200409-35
(Subversion: Metadata information leak)

There is a bug in mod_authz_svn that causes it to reveal logged metadata
regarding commits to protected areas.

Impact :

Protected files themselves will not be revealed, but an attacker could use
the metadata to reveal the existence of protected areas, such as paths,
file versions, and the commit logs from those areas.

Workaround :

Rather than using mod_authz_svn, move protected areas into seperate
repositories and use native Apache authentication to make these
repositories unreadable.

See also :

http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt
http://www.gentoo.org/security/en/glsa/glsa-200409-35.xml

Solution :

All Subversion users should upgrade to the latest version:
# emerge sync
# emerge -pv '>=dev-util/subversion-1.0.8'
# emerge '>=dev-util/subversion-1.0.8'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 15406 (gentoo_GLSA-200409-35.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0749