Debian DSA-3561-1 : subversion - security update

medium Nessus Plugin ID 90808

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2016-2167 Daniel Shahaf and James McCoy discovered that an implementation error in the authentication against the Cyrus SASL library would permit a remote user to specify a realm string which is a prefix of the expected realm string and potentially allowing a user to authenticate using the wrong realm.

- CVE-2016-2168 Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service vulnerability in the mod_authz_svn module during COPY or MOVE authorization check. An authenticated remote attacker could take advantage of this flaw to cause a denial of service (Subversion server crash) via COPY or MOVE requests with specially crafted header.

Solution

Upgrade the subversion packages.

For the stable distribution (jessie), these problems have been fixed in version 1.8.10-6+deb8u4.

See Also

https://security-tracker.debian.org/tracker/CVE-2016-2167

https://security-tracker.debian.org/tracker/CVE-2016-2168

https://packages.debian.org/source/jessie/subversion

https://www.debian.org/security/2016/dsa-3561

Plugin Details

Severity: Medium

ID: 90808

File Name: debian_DSA-3561.nasl

Version: 2.9

Type: local

Agent: unix

Published: 5/2/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:subversion, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/29/2016

Reference Information

CVE: CVE-2016-2167, CVE-2016-2168

DSA: 3561