GLSA-200409-35 : Subversion: Metadata information leak

Medium Nessus Plugin ID 15406


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200409-35 (Subversion: Metadata information leak)

There is a bug in mod_authz_svn that causes it to reveal logged metadata regarding commits to protected areas.
Impact :

Protected files themselves will not be revealed, but an attacker could use the metadata to reveal the existence of protected areas, such as paths, file versions, and the commit logs from those areas.
Workaround :

Rather than using mod_authz_svn, move protected areas into separate repositories and use native Apache authentication to make these repositories unreadable.


All Subversion users should upgrade to the latest version:
# emerge sync # emerge -pv '>=dev-util/subversion-1.0.8' # emerge '>=dev-util/subversion-1.0.8'

See Also

Plugin Details

Severity: Medium

ID: 15406

File Name: gentoo_GLSA-200409-35.nasl

Version: $Revision: 1.15 $

Type: local

Published: 2004/10/01

Modified: 2015/08/24

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:subversion, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 2004/09/29

Vulnerability Publication Date: 2004/09/23

Reference Information

CVE: CVE-2004-0749

OSVDB: 10217

GLSA: 200409-35