Fedora 21 : subversion-1.8.13-7.fc21 (2015-11795)

High Nessus Plugin ID 85065

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 3.6

Synopsis

The remote Fedora host is missing a security update.

Description

This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.

Three security vulnerabilities are fixed in this update :

- CVE-2015-0202:
https://subversion.apache.org/security/CVE-2015-0202-adv isory.txt

- CVE-2015-0248:
https://subversion.apache.org/security/CVE-2015-0248-a dvisory.txt

- CVE-2015-0251:
https://subversion.apache.org/security/CVE-2015-0251-a dvisory.txt

In addition, the following changes are included in the Subversion 1.8.13 update :

**Client-side bugfixes:**

- ra_serf: prevent abort of commits that have already succeeded

- ra_serf: support case-insensitivity in HTTP headers

- better error message if an external is shadowed

- ra_svn: fix reporting of directory read errors

- fix a redirect handling bug in 'svn log' over HTTP

- properly copy tree conflict information

- fix 'svn patch' output for reordered hunks http://subversion.tigris.org/issues/show_bug.cgi?id=45 33

- svnrdump load: don't load wrong props with no-deltas dump http://subversion.tigris.org/issues/show_bug.cgi?id=45 51

- fix working copy corruption with relative file external http://subversion.tigris.org/issues/show_bug.cgi?id=44 11

- don't crash if config file is unreadable

- svn resolve: don't ask a question with only one answer

- fix assertion failure in svn move

- working copy performance improvements

- handle existing working copies which become externals

- fix recording of WC meta-data for foreign repos copies

- fix calculating repository path of replaced directories

- fix calculating repository path after commit of switched nodes

- svnrdump: don't provide HEAD+1 as base revision for deletes

- don't leave conflict markers on files that are moved

- avoid unnecessary subtree mergeinfo recording

- fix diff of a locally copied directory with props

**Server-side bugfixes:**

- fsfs: fix a problem verifying pre-1.4 repos used with 1.8

- svnadmin freeze: fix memory allocation error

- svnadmin load: tolerate invalid mergeinfo at r0

- svnadmin load: strip references to r1 from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=45 38

- svnsync: strip any r0 references from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=44 76

- fsfs: reduce memory consumption when operating on dag nodes

- reject invalid get-location-segments requests in mod_dav_svn and svnserve

- mod_dav_svn: reject invalid txnprop change requests

**Client-side and server-side bugfixes:**

- fix undefined behaviour in string buffer routines

- fix consistency issues with APR r/w locks on Windows

- fix occasional SEGV if threads load DSOs in parallel

- properly duplicate svn error objects

- fix use-after-free in config parser

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected subversion package.

See Also

http://subversion.tigris.org/issues/show_bug.cgi?id=4411

http://subversion.tigris.org/issues/show_bug.cgi?id=4476

http://subversion.tigris.org/issues/show_bug.cgi?id=4533

http://subversion.tigris.org/issues/show_bug.cgi?id=4538

http://subversion.tigris.org/issues/show_bug.cgi?id=4551

https://bugzilla.redhat.com/show_bug.cgi?id=1205134

https://bugzilla.redhat.com/show_bug.cgi?id=1205138

https://bugzilla.redhat.com/show_bug.cgi?id=1205140

http://www.nessus.org/u?1c4153a0

https://subversion.apache.org/security/CVE-2015-0202-advisory.txt

https://subversion.apache.org/security/CVE-2015-0248-advisory.txt

https://subversion.apache.org/security/CVE-2015-0251-advisory.txt

Plugin Details

Severity: High

ID: 85065

File Name: fedora_2015-11795.nasl

Version: 2.5

Type: local

Agent: unix

Published: 2015/07/29

Updated: 2021/01/11

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 3.6

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:subversion, cpe:/o:fedoraproject:fedora:21

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2015/07/17

Vulnerability Publication Date: 2015/04/08

Reference Information

CVE: CVE-2015-0202, CVE-2015-0248, CVE-2015-0251

FEDORA: 2015-11795