openSUSE Security Update : subversion (openSUSE-SU-2013:0687-1)

Medium Nessus Plugin ID 74976

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 4.4

Synopsis

The remote openSUSE host is missing a security update.

Description

Subversion received minor version updates to fix remote triggerable vulnerabilities in mod_dav_svn which may result in denial of service.

On openSUSE 12.1 :

- update to 1.6.21 [bnc#813913], addressing remotely triggerable

+ CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

- further changes :

+ mod_dav_svn will omit some property values for activity urls

+ improve memory usage when committing properties in mod_dav_svn

+ fix mod_dav_svn runs pre-revprop-change twice

+ fixed: post-revprop-change errors cancel commit

+ improved logic in mod_dav_svn's implementation of lock.

+ fix a compatibility issue with g++ 4.7

On openSUSE 12.2 and 12.3 :

- update to 1.7.9 [bnc#813913], addressing remotely triggerable vulnerabilities in mod_dav_svn which may result in denial of service :

+ CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

+ CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT

- further changes :

+ Client-side bugfixes :

- improved error messages about svn:date and svn:author props.

- fix local_relpath assertion

- fix memory leak in `svn log` over svn://

- fix incorrect authz failure when using neon http library

- fix segfault when using kwallet

+ Server-side bugfixes :

- svnserve will log the replayed rev not the low-water rev.

- mod_dav_svn will omit some property values for activity urls

- fix an assertion in mod_dav_svn when acting as a proxy on /

- improve memory usage when committing properties in mod_dav_svn

- fix svnrdump to load dump files with non-LF line endings

- fix assertion when rep-cache is inaccessible

- improved logic in mod_dav_svn's implementation of lock.

- avoid executing unnecessary code in log with limit

- Developer-visible changes :

+ General :

- fix an assertion in dav_svn_get_repos_path() on Windows

- fix get-deps.sh to correctly download zlib

- doxygen docs will now ignore prefixes when producing the index

- fix get-deps.sh on freebsd

+ Bindings :

- javahl status api now respects the ignoreExternals boolean

- refresh subversion-no-build-date.patch for upstream source changes

Solution

Update the affected subversion packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=813913

https://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html

Plugin Details

Severity: Medium

ID: 74976

File Name: openSUSE-2013-345.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 4.4

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion, p-cpe:/a:novell:opensuse:subversion-bash-completion, p-cpe:/a:novell:opensuse:subversion-debuginfo, p-cpe:/a:novell:opensuse:subversion-debugsource, p-cpe:/a:novell:opensuse:subversion-devel, p-cpe:/a:novell:opensuse:subversion-perl, p-cpe:/a:novell:opensuse:subversion-perl-debuginfo, p-cpe:/a:novell:opensuse:subversion-python, p-cpe:/a:novell:opensuse:subversion-python-debuginfo, p-cpe:/a:novell:opensuse:subversion-ruby, p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo, p-cpe:/a:novell:opensuse:subversion-server, p-cpe:/a:novell:opensuse:subversion-server-debuginfo, p-cpe:/a:novell:opensuse:subversion-tools, p-cpe:/a:novell:opensuse:subversion-tools-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2013/04/08

Reference Information

CVE: CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849, CVE-2013-1884