openSUSE Security Update : subversion (openSUSE-2016-1435)

medium Nessus Plugin ID 95707

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for subversion fixes the following issues :

- Version update to 1.9.5 :

- Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// (boo#1011552, CVE-2016-8734)

- Client-side bugfixes :

- fix accessing non-existent paths during reintegrate merge (r1766699 et al)

- fix handling of newly secured subdirectories in working copy (r1724448)

- info: remove trailing whitespace in --show-item=revision (issue #4660)

- fix recording wrong revisions for tree conflicts (r1734106)

- gpg-agent: improve discovery of gpg-agent sockets (r1766327)

- gpg-agent: fix file descriptor leak (r1766323)

- resolve: fix --accept=mine-full for binary files (issue #4647)

- merge: fix possible crash (issue #4652)

- resolve: fix possible crash (r1748514)

- fix potential crash in Win32 crash reporter (r1663253 et al)

- Server-side bugfixes :

- fsfs: fix 'offset too large' error during pack (issue #4657)

- svnserve: enable hook script environments (r1769152)

- fsfs: fix possible data reconstruction error (issue #4658)

- fix source of spurious 'incoming edit' tree conflicts (r1770108)

- fsfs: improve caching for large directories (r1721285)

- fsfs: fix crash when encountering all-zero checksums (r1759686)

- fsfs: fix potential source of repository corruptions (r1756266)

- mod_dav_svn: fix excessive memory usage with mod_headers/mod_deflate (issue #3084)

- mod_dav_svn: reduce memory usage during GET requests (r1757529 et al)

- fsfs: fix unexpected 'database is locked' errors (r1741096 et al)

- fsfs: fix opening old repositories without db/format files (r1720015)

- Client-side and server-side bugfixes :

- fix possible crash when reading invalid configuration files (r1715777)

- Bindings bugfixes :

- swig-pl: do not corrupt '(DATE)' revision variable (r1767768)

- javahl: fix temporary accepting SSL server certificates (r1764851)

- swig-pl: fix possible stack corruption (r1683266, r1683267)

Solution

Update the affected subversion packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1011552

Plugin Details

Severity: Medium

ID: 95707

File Name: openSUSE-2016-1435.nasl

Version: 3.6

Type: local

Agent: unix

Published: 12/12/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion, p-cpe:/a:novell:opensuse:subversion-bash-completion, p-cpe:/a:novell:opensuse:subversion-debuginfo, p-cpe:/a:novell:opensuse:subversion-debugsource, p-cpe:/a:novell:opensuse:subversion-devel, p-cpe:/a:novell:opensuse:subversion-perl, p-cpe:/a:novell:opensuse:subversion-perl-debuginfo, p-cpe:/a:novell:opensuse:subversion-python, p-cpe:/a:novell:opensuse:subversion-python-ctypes, p-cpe:/a:novell:opensuse:subversion-python-debuginfo, p-cpe:/a:novell:opensuse:subversion-ruby, p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo, p-cpe:/a:novell:opensuse:subversion-server, p-cpe:/a:novell:opensuse:subversion-server-debuginfo, p-cpe:/a:novell:opensuse:subversion-tools, p-cpe:/a:novell:opensuse:subversion-tools-debuginfo, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 12/9/2016

Vulnerability Publication Date: 10/16/2017

Reference Information

CVE: CVE-2016-8734