openSUSE Security Update : subversion (openSUSE-2015-289)

High Nessus Plugin ID 82635

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 3.6

Synopsis

The remote openSUSE host is missing a security update.

Description

Apache Subversion was updated to 1.8.13 to fix three vulnerabilities and a number of non-security bugs.

This release fixes three vulnerabilities :

- Subversion HTTP servers with FSFS repositories were vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. (bsc#923793 CVE-2015-0202)

- Subversion mod_dav_svn and svnserve were vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. (bsc#923794 CVE-2015-0248)

- Subversion HTTP servers allow spoofing svn:author property values for new revisions (bsc#923795 CVE-2015-0251)

Non-security fixes :

- fixes number of client and server side non-security bugs

- improved working copy performance

- reduction of resource use

- stability improvements

- usability improvements

- fix sample configuration comments in subversion.conf [boo#916286]

- fix bashisms in mailer-init.sh script

Solution

Update the affected subversion packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=916286

https://bugzilla.opensuse.org/show_bug.cgi?id=923793

https://bugzilla.opensuse.org/show_bug.cgi?id=923794

https://bugzilla.opensuse.org/show_bug.cgi?id=923795

Plugin Details

Severity: High

ID: 82635

File Name: openSUSE-2015-289.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2015/04/08

Updated: 2021/01/19

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 3.6

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion, p-cpe:/a:novell:opensuse:subversion-bash-completion, p-cpe:/a:novell:opensuse:subversion-debuginfo, p-cpe:/a:novell:opensuse:subversion-debugsource, p-cpe:/a:novell:opensuse:subversion-devel, p-cpe:/a:novell:opensuse:subversion-perl, p-cpe:/a:novell:opensuse:subversion-perl-debuginfo, p-cpe:/a:novell:opensuse:subversion-python, p-cpe:/a:novell:opensuse:subversion-python-ctypes, p-cpe:/a:novell:opensuse:subversion-python-debuginfo, p-cpe:/a:novell:opensuse:subversion-ruby, p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo, p-cpe:/a:novell:opensuse:subversion-server, p-cpe:/a:novell:opensuse:subversion-server-debuginfo, p-cpe:/a:novell:opensuse:subversion-tools, p-cpe:/a:novell:opensuse:subversion-tools-debuginfo, cpe:/o:novell:opensuse:13.1, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2015/03/31

Reference Information

CVE: CVE-2015-0202, CVE-2015-0248, CVE-2015-0251