Информационная безопасность
[RU] switch to English


Дополнительная информация

  Уязвимости безопасности в Apache Subversion

  [slackware-security]  subversion (SSA:2014-058-
01)

From:MANDRIVA
Date:9 января 2014 г.
Subject:[ MDVSA-2013:288 ] subversion



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory                         MDVSA-2013:288
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : subversion
Date    : December 17, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Updated subversion package fixes security vulnerabilities:

mod_dontdothat allows you to block update REPORT requests against
certain paths in the repository.  It expects the paths in the REPORT
request to be absolute URLs.  Serf based clients send relative URLs
instead of absolute URLs in many cases.  As a result these clients
are not blocked as configured by mod_dontdothat (CVE-2013-4505).

When SVNAutoversioning is enabled via SVNAutoversioning on,
commits can be made by single HTTP requests such as MKCOL and PUT.
If Subversion is built with assertions enabled any such requests
that have non-canonical URLs, such  as URLs with a trailing /, may
trigger an assert.  An assert will cause the Apache process to abort
(CVE-2013-4558).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
http://advisories.mageia.org/MGASA-2013-0360.html
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
1d62fa579ffae8bd706142dad45105da  mes5/i586/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.i586.rpm
90d784c463acf8b78c1c691b2f30d6dd  mes5/i586/libsvn0-1.7.14-0.1mdvmes5.2.i586.rpm
c47b980a3ea89f15b8619d253d8f23f4  mes5/i586/libsvnjavahl1-1.7.14-0.1mdvmes5.2.i586.rpm
62a6b7850e09694fdfc0478a96e2642a  mes5/i586/perl-SVN-1.7.14-0.1mdvmes5.2.i586.rpm
a38c85d2badb6f099d1578d27c81ccb3  mes5/i586/perl-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
dbda83b4ca0fd7594357686a512a9366  mes5/i586/python-svn-1.7.14-0.1mdvmes5.2.i586.rpm
9f825413b80cf29fe2ba78a94f7d64bb  mes5/i586/python-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
308adec20a31c7dd0c6cf69c43624e81  mes5/i586/ruby-svn-1.7.14-0.1mdvmes5.2.i586.rpm
3158f991bd283c715954591bcad317c8  mes5/i586/ruby-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
12692ba193dec95fff2f0d54a9dceb85  mes5/i586/subversion-1.7.14-0.1mdvmes5.2.i586.rpm
15dec4d935c6c0dcb27133d041d6f251  mes5/i586/subversion-devel-1.7.14-0.1mdvmes5.2.i586.rpm
6a244097644da7b883f4d9728859f54e  mes5/i586/subversion-doc-1.7.14-0.1mdvmes5.2.i586.rpm
7c8e22b78d0e37af09e566fe84a6f72e  mes5/i586/subversion-server-1.7.14-0.1mdvmes5.2.i586.rpm
42c72886b4f762de675423647fbd4d98  mes5/i586/subversion-tools-1.7.14-0.1mdvmes5.2.i586.rpm
5dc67eac926230ccf2cf8f6ad56ee711  mes5/i586/svn-javahl-1.7.14-0.1mdvmes5.2.i586.rpm
7201e07969effc89b5f05e14f02a3dbf  mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
58344ddf6bdf2e082fc9eb9c370c1d6c  mes5/x86_64/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
ba396e7cc6a0b57a60d4328bf9f4e4d2  mes5/x86_64/lib64svn0-1.7.14-0.1mdvmes5.2.x86_64.rpm
873f5a1f6aa95d2bf72696dbb871fefe  mes5/x86_64/lib64svnjavahl1-1.7.14-0.1mdvmes5.2.x86_64.rpm
6fc320c4c8c01a1099cd6cdfaaf0a821  mes5/x86_64/perl-SVN-1.7.14-0.1mdvmes5.2.x86_64.rpm
69ddd7592494175520da5ad5341e1fc9  mes5/x86_64/perl-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
9ee72e400941c6e6187116107da5899a  mes5/x86_64/python-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
1797db04f38985ef088ec2564b04029d  mes5/x86_64/python-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
18ee8cf84ee12d32f3a7419a03704316  mes5/x86_64/ruby-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
06c6c293e7f27f0747c1253a5906ff31  mes5/x86_64/ruby-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
f797fd2bdb68d576bfea93bc03dc4a76  mes5/x86_64/subversion-1.7.14-0.1mdvmes5.2.x86_64.rpm
338eab05e30504debf272a51d72607c3  mes5/x86_64/subversion-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
74bac1ee842f300896bb58c017b39223  mes5/x86_64/subversion-doc-1.7.14-0.1mdvmes5.2.x86_64.rpm
25f6cd72c7fce5416af388218e221957  mes5/x86_64/subversion-server-1.7.14-0.1mdvmes5.2.x86_64.rpm
0ca18c4790cf3220833b68a0a04642b6  mes5/x86_64/subversion-tools-1.7.14-0.1mdvmes5.2.x86_64.rpm
f36cf1106c787f0a1732e4f1b27d151a  mes5/x86_64/svn-javahl-1.7.14-0.1mdvmes5.2.x86_64.rpm
7201e07969effc89b5f05e14f02a3dbf  mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

Mandriva Business Server 1/X86_64:
8eaa5477089468e118b8e3e37fdfa136  mbs1/x86_64/apache-mod_dav_svn-1.7.14-0.1.mbs1.x86_64.rpm
1e213dc581bfc397f250c0d830969cea  mbs1/x86_64/lib64svn0-1.7.14-0.1.mbs1.x86_64.rpm
8bf03ee5f00dc27844b27887dd69874b  mbs1/x86_64/lib64svn-gnome-keyring0-1.7.14-0.1.mbs1.x86_64.rpm
a445a790fa679c1336a76455823a71f4  mbs1/x86_64/lib64svnjavahl1-1.7.14-0.1.mbs1.x86_64.rpm
c72a3886afb0fd0b4442678fba184f7b  mbs1/x86_64/perl-SVN-1.7.14-0.1.mbs1.x86_64.rpm
0ec8baf5d59f783eb597dc56b02eb443  mbs1/x86_64/perl-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
75a468494a343b9ad30f50daf9ff8bae  mbs1/x86_64/python-svn-1.7.14-0.1.mbs1.x86_64.rpm
6acf2fc86952e7ff6f80249efa3a2b85  mbs1/x86_64/python-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
5968e570d367b5f1108ddfbb68919ecd  mbs1/x86_64/ruby-svn-1.7.14-0.1.mbs1.x86_64.rpm
9409c0f3a3609e4828fbebf663305ee5  mbs1/x86_64/ruby-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
64a752059f681dad3d0eee9a08842574  mbs1/x86_64/subversion-1.7.14-0.1.mbs1.x86_64.rpm
9ac971374394757e942afd4f7e58735c  mbs1/x86_64/subversion-devel-1.7.14-0.1.mbs1.x86_64.rpm
5c2675975cd738271399170583c1bc93  mbs1/x86_64/subversion-doc-1.7.14-0.1.mbs1.x86_64.rpm
4cfccaa84ed2fe9b6e2c2dee34b20c30  mbs1/x86_64/subversion-gnome-keyring-devel-1.7.14-0.1.mbs1.x86_64.rpm
12ab8392f8eeb1d803284e58554337af  mbs1/x86_64/subversion-server-1.7.14-0.1.mbs1.x86_64.rpm
d5d76797698ab08ccffed5e75f89c317  mbs1/x86_64/subversion-tools-1.7.14-0.1.mbs1.x86_64.rpm
8573ae56f5f3289d2cce2c56d3f60f53  mbs1/x86_64/svn-javahl-1.7.14-0.1.mbs1.x86_64.rpm
f0dae800b549b3d4e40e7f7b497b37b6  mbs1/SRPMS/subversion-1.7.14-0.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security.  You can obtain the
GPG public key of the Mandriva Security Team by executing:

 gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

 http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

 security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Mandriva Security Team
 <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFSsEzymqjQ0CJFipgRAvIfAJ9DMlIqd+FYAkiAr13GioFFbiKO5wCglpaQ
eArXx+wROjIIeYmUpmpyvM0=
=L3Es
-----END PGP SIGNATURE-----

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород