openSUSE-SU-2015:0672

http://subversion.apache.org/security/CVE-2015-0202-advisory.txt

MDVSA-2015:192

76446

1032100

USN-2721-1

GLSA-201610-05

The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Subversion and Serf.
      Please review the CVE identifiers referenced below for details   Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, conduct a man-in-the-middle attack, obtain       sensitive information, or cause a Denial of Service Condition.
  Workaround :

    There is no known workaround at this time.

The version of Apache Subversion installed on the remote host is 1.7.x prior to 1.7.20, or 1.8.x prior to 1.8.12 and is affected by the following vulnerabilities :

 - 'mod_dav_svn' and 'svnserve' are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. Assertion will cause svnserve process or the process hosting m'od_dav_svn' module (Apache) to abort. (CVE-2015-0248) 
 - The 'mod_dav_svn' module allows setting arbitrary 'svn:author' property values when committing new revisions. This can be accomplished using a specially crafted sequence of requests. A malicious committer can fake 'svn:author' values on his commits. (CVE-2015-0251) 
 - A denial of service vulnerability affects Subversion HTTP servers with FSFS repositories. The 'mod_dav_svn' module may use excessive amounts of memory when processing REPORT requests that require traversing through a large number of FSFS repository nodes (files and directories). With a specially crafted report query, a malicious actor could cause a denial of service condition. Note: This issue only affects 1.8.x installations. (CVE-2015-0202)

The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. (CVE-2015-0202)

An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash.
(CVE-2015-0248)

It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property.
(CVE-2015-0251)

It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3580)

It was discovered that the Subversion mod_dav_svn module incorrectly handled requests requiring a lookup for a virtual transaction name that does not exist. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8108)

Evgeny Kotkov discovered that the Subversion mod_dav_svn module incorrectly handled large numbers of REPORT requests. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202)

Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve modules incorrectly certain crafted parameter combinations. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2015-0248)

Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly handled crafted v1 HTTP protocol request sequences. A remote attacker could use this issue to spoof the svn:author property.
(CVE-2015-0251)

C. Michael Pilato discovered that the Subversion mod_dav_svn module incorrectly restricted anonymous access. A remote attacker could use this issue to read hidden files via the path name. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184)

C. Michael Pilato discovered that Subversion incorrectly handled path-based authorization. A remote attacker could use this issue to obtain sensitive path information. (CVE-2015-3187).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.

Three security vulnerabilities are fixed in this update :

  - CVE-2015-0202:
    https://subversion.apache.org/security/CVE-2015-0202-adv     isory.txt

    - CVE-2015-0248:
      https://subversion.apache.org/security/CVE-2015-0248-a       dvisory.txt

    - CVE-2015-0251:
      https://subversion.apache.org/security/CVE-2015-0251-a       dvisory.txt

In addition, the following changes are included in the Subversion 1.8.13 update :

**Client-side bugfixes:**

  - ra_serf: prevent abort of commits that have already     succeeded

    - ra_serf: support case-insensitivity in HTTP headers

    - better error message if an external is shadowed

    - ra_svn: fix reporting of directory read errors

    - fix a redirect handling bug in 'svn log' over HTTP

    - properly copy tree conflict information

    - fix 'svn patch' output for reordered hunks       http://subversion.tigris.org/issues/show_bug.cgi?id=45       33

    - svnrdump load: don't load wrong props with no-deltas       dump       http://subversion.tigris.org/issues/show_bug.cgi?id=45       51

    - fix working copy corruption with relative file       external       http://subversion.tigris.org/issues/show_bug.cgi?id=44       11

    - don't crash if config file is unreadable

    - svn resolve: don't ask a question with only one answer

    - fix assertion failure in svn move

    - working copy performance improvements

    - handle existing working copies which become externals

    - fix recording of WC meta-data for foreign repos copies

    - fix calculating repository path of replaced       directories

    - fix calculating repository path after commit of       switched nodes

    - svnrdump: don't provide HEAD+1 as base revision for       deletes

    - don't leave conflict markers on files that are moved

    - avoid unnecessary subtree mergeinfo recording

    - fix diff of a locally copied directory with props

**Server-side bugfixes:**

  - fsfs: fix a problem verifying pre-1.4 repos used with     1.8

    - svnadmin freeze: fix memory allocation error

    - svnadmin load: tolerate invalid mergeinfo at r0

    - svnadmin load: strip references to r1 from mergeinfo       http://subversion.tigris.org/issues/show_bug.cgi?id=45       38

    - svnsync: strip any r0 references from mergeinfo       http://subversion.tigris.org/issues/show_bug.cgi?id=44       76

    - fsfs: reduce memory consumption when operating on dag       nodes

    - reject invalid get-location-segments requests in       mod_dav_svn and svnserve

    - mod_dav_svn: reject invalid txnprop change requests

**Client-side and server-side bugfixes:**

  - fix undefined behaviour in string buffer routines

    - fix consistency issues with APR r/w locks on Windows

    - fix occasional SEGV if threads load DSOs in parallel

    - properly duplicate svn error objects

    - fix use-after-free in config parser

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Apache Subversion was updated to 1.8.13 to fix three vulnerabilities and a number of non-security bugs.

This release fixes three vulnerabilities :

  - Subversion HTTP servers with FSFS repositories were     vulnerable to a remotely triggerable excessive memory     use with certain REPORT requests. (bsc#923793     CVE-2015-0202) 

  - Subversion mod_dav_svn and svnserve were vulnerable to a     remotely triggerable assertion DoS vulnerability for     certain requests with dynamically evaluated revision     numbers. (bsc#923794 CVE-2015-0248)

  - Subversion HTTP servers allow spoofing svn:author     property values for new revisions (bsc#923795     CVE-2015-0251)

Non-security fixes :

  - fixes number of client and server side non-security bugs

  - improved working copy performance

  - reduction of resource use

  - stability improvements

  - usability improvements

  - fix sample configuration comments in subversion.conf     [boo#916286]

  - fix bashisms in mailer-init.sh script

Multiple vulnerabilities has been discovered and corrected in subversion :

Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests (CVE-2015-0202).

Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers (CVE-2015-0248).

Subversion HTTP servers allow spoofing svn:author property values for new revisions (CVE-2015-0251).

The updated packages have been upgraded to the 1.7.20 and 1.8.13 versions where these security flaws has been fixed.

Subversion Project reports :

Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests.

Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers.

Subversion HTTP servers allow spoofing svn:author property values for new revisions.

ID	Name	Product	Family	Severity
93992	GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
8972	Apache Subversion 1.7.x < 1.7.20 / 1.8.x < 1.8.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
85632	Amazon Linux AMI : subversion / mod_dav_svn (ALAS-2015-587)	Nessus	Amazon Linux Local Security Checks	high
85579	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : subversion vulnerabilities (USN-2721-1)	Nessus	Ubuntu Local Security Checks	high
85065	Fedora 21 : subversion-1.8.13-7.fc21 (2015-11795)	Nessus	Fedora Local Security Checks	high
82635	openSUSE Security Update : subversion (openSUSE-2015-289)	Nessus	SuSE Local Security Checks	high
82563	Mandriva Linux Security Advisory : subversion (MDVSA-2015:192)	Nessus	Mandriva Local Security Checks	high
82481	FreeBSD : subversion -- DoS vulnerabilities (8e887b71-d769-11e4-b1c2-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	high

CVE-2015-0202

HIGH

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

high

high

high