Debian DSA-3331-1 : subversion - security update

medium Nessus Plugin ID 85354

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several security issues have been found in the server components of the version control system subversion.

- CVE-2015-3184 Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. This issue does not affect the oldstable distribution (wheezy) because it only contains Apache httpd 2.2.

- CVE-2015-3187 Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.
When a node is copied from an unreadable location to a readable location the unreadable path may be revealed.
This vulnerablity only reveals the path, it does not reveal the contents of the path.

Solution

Upgrade the subversion packages.

For the oldstable distribution (wheezy), this problem has been fixed in version 1.6.17dfsg-4+deb7u10.

For the stable distribution (jessie), these problems have been fixed in version 1.8.10-6+deb8u1.

Plugin Details

Severity: Medium

ID: 85354

File Name: debian_DSA-3331.nasl

Version: 2.4

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 8/13/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:subversion, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/10/2015

Reference Information

CVE: CVE-2015-3184, CVE-2015-3187

DSA: 3331

Detections

Analytics