Debian DSA-3331-1 : subversion - security update

medium Nessus Plugin ID 85354
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Several security issues have been found in the server components of the version control system subversion.

- CVE-2015-3184 Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. This issue does not affect the oldstable distribution (wheezy) because it only contains Apache httpd 2.2.

- CVE-2015-3187 Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.
When a node is copied from an unreadable location to a readable location the unreadable path may be revealed.
This vulnerablity only reveals the path, it does not reveal the contents of the path.

Solution

Upgrade the subversion packages.

For the oldstable distribution (wheezy), this problem has been fixed in version 1.6.17dfsg-4+deb7u10.

For the stable distribution (jessie), these problems have been fixed in version 1.8.10-6+deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-3184

https://security-tracker.debian.org/tracker/CVE-2015-3187

https://packages.debian.org/source/wheezy/subversion

https://packages.debian.org/source/jessie/subversion

https://www.debian.org/security/2015/dsa-3331

Plugin Details

Severity: Medium

ID: 85354

File Name: debian_DSA-3331.nasl

Version: 2.4

Type: local

Agent: unix

Published: 8/13/2015

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:subversion, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/10/2015

Reference Information

CVE: CVE-2015-3184, CVE-2015-3187

DSA: 3331