Debian DSA-2703-1 : subversion - several vulnerabilities

high Nessus Plugin ID 66846

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2013-1968 Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository.

- CVE-2013-2112 Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server.

Solution

Upgrade the subversion packages.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.6.12dfsg-7.

For the stable distribution (wheezy), these problems have been fixed in version 1.6.17dfsg-4+deb7u3.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711033

https://security-tracker.debian.org/tracker/CVE-2013-1968

https://security-tracker.debian.org/tracker/CVE-2013-2112

https://packages.debian.org/source/squeeze/subversion

https://packages.debian.org/source/wheezy/subversion

https://www.debian.org/security/2013/dsa-2703

Plugin Details

Severity: High

ID: 66846

File Name: debian_DSA-2703.nasl

Version: 1.11

Type: local

Agent: unix

Published: 6/10/2013

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:subversion, cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2013

Reference Information

CVE: CVE-2013-1968, CVE-2013-2112

BID: 60264, 60267

DSA: 2703