[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1VsxKO-0004zT-Jo@titan.mandriva.com>
Date: Tue, 17 Dec 2013 17:17:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:288 ] subversion
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:288
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : subversion
Date : December 17, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Updated subversion package fixes security vulnerabilities:
mod_dontdothat allows you to block update REPORT requests against
certain paths in the repository. It expects the paths in the REPORT
request to be absolute URLs. Serf based clients send relative URLs
instead of absolute URLs in many cases. As a result these clients
are not blocked as configured by mod_dontdothat (CVE-2013-4505).
When SVNAutoversioning is enabled via SVNAutoversioning on,
commits can be made by single HTTP requests such as MKCOL and PUT.
If Subversion is built with assertions enabled any such requests
that have non-canonical URLs, such as URLs with a trailing /, may
trigger an assert. An assert will cause the Apache process to abort
(CVE-2013-4558).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
http://advisories.mageia.org/MGASA-2013-0360.html
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
1d62fa579ffae8bd706142dad45105da mes5/i586/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.i586.rpm
90d784c463acf8b78c1c691b2f30d6dd mes5/i586/libsvn0-1.7.14-0.1mdvmes5.2.i586.rpm
c47b980a3ea89f15b8619d253d8f23f4 mes5/i586/libsvnjavahl1-1.7.14-0.1mdvmes5.2.i586.rpm
62a6b7850e09694fdfc0478a96e2642a mes5/i586/perl-SVN-1.7.14-0.1mdvmes5.2.i586.rpm
a38c85d2badb6f099d1578d27c81ccb3 mes5/i586/perl-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
dbda83b4ca0fd7594357686a512a9366 mes5/i586/python-svn-1.7.14-0.1mdvmes5.2.i586.rpm
9f825413b80cf29fe2ba78a94f7d64bb mes5/i586/python-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
308adec20a31c7dd0c6cf69c43624e81 mes5/i586/ruby-svn-1.7.14-0.1mdvmes5.2.i586.rpm
3158f991bd283c715954591bcad317c8 mes5/i586/ruby-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
12692ba193dec95fff2f0d54a9dceb85 mes5/i586/subversion-1.7.14-0.1mdvmes5.2.i586.rpm
15dec4d935c6c0dcb27133d041d6f251 mes5/i586/subversion-devel-1.7.14-0.1mdvmes5.2.i586.rpm
6a244097644da7b883f4d9728859f54e mes5/i586/subversion-doc-1.7.14-0.1mdvmes5.2.i586.rpm
7c8e22b78d0e37af09e566fe84a6f72e mes5/i586/subversion-server-1.7.14-0.1mdvmes5.2.i586.rpm
42c72886b4f762de675423647fbd4d98 mes5/i586/subversion-tools-1.7.14-0.1mdvmes5.2.i586.rpm
5dc67eac926230ccf2cf8f6ad56ee711 mes5/i586/svn-javahl-1.7.14-0.1mdvmes5.2.i586.rpm
7201e07969effc89b5f05e14f02a3dbf mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
58344ddf6bdf2e082fc9eb9c370c1d6c mes5/x86_64/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
ba396e7cc6a0b57a60d4328bf9f4e4d2 mes5/x86_64/lib64svn0-1.7.14-0.1mdvmes5.2.x86_64.rpm
873f5a1f6aa95d2bf72696dbb871fefe mes5/x86_64/lib64svnjavahl1-1.7.14-0.1mdvmes5.2.x86_64.rpm
6fc320c4c8c01a1099cd6cdfaaf0a821 mes5/x86_64/perl-SVN-1.7.14-0.1mdvmes5.2.x86_64.rpm
69ddd7592494175520da5ad5341e1fc9 mes5/x86_64/perl-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
9ee72e400941c6e6187116107da5899a mes5/x86_64/python-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
1797db04f38985ef088ec2564b04029d mes5/x86_64/python-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
18ee8cf84ee12d32f3a7419a03704316 mes5/x86_64/ruby-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
06c6c293e7f27f0747c1253a5906ff31 mes5/x86_64/ruby-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
f797fd2bdb68d576bfea93bc03dc4a76 mes5/x86_64/subversion-1.7.14-0.1mdvmes5.2.x86_64.rpm
338eab05e30504debf272a51d72607c3 mes5/x86_64/subversion-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
74bac1ee842f300896bb58c017b39223 mes5/x86_64/subversion-doc-1.7.14-0.1mdvmes5.2.x86_64.rpm
25f6cd72c7fce5416af388218e221957 mes5/x86_64/subversion-server-1.7.14-0.1mdvmes5.2.x86_64.rpm
0ca18c4790cf3220833b68a0a04642b6 mes5/x86_64/subversion-tools-1.7.14-0.1mdvmes5.2.x86_64.rpm
f36cf1106c787f0a1732e4f1b27d151a mes5/x86_64/svn-javahl-1.7.14-0.1mdvmes5.2.x86_64.rpm
7201e07969effc89b5f05e14f02a3dbf mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm
Mandriva Business Server 1/X86_64:
8eaa5477089468e118b8e3e37fdfa136 mbs1/x86_64/apache-mod_dav_svn-1.7.14-0.1.mbs1.x86_64.rpm
1e213dc581bfc397f250c0d830969cea mbs1/x86_64/lib64svn0-1.7.14-0.1.mbs1.x86_64.rpm
8bf03ee5f00dc27844b27887dd69874b mbs1/x86_64/lib64svn-gnome-keyring0-1.7.14-0.1.mbs1.x86_64.rpm
a445a790fa679c1336a76455823a71f4 mbs1/x86_64/lib64svnjavahl1-1.7.14-0.1.mbs1.x86_64.rpm
c72a3886afb0fd0b4442678fba184f7b mbs1/x86_64/perl-SVN-1.7.14-0.1.mbs1.x86_64.rpm
0ec8baf5d59f783eb597dc56b02eb443 mbs1/x86_64/perl-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
75a468494a343b9ad30f50daf9ff8bae mbs1/x86_64/python-svn-1.7.14-0.1.mbs1.x86_64.rpm
6acf2fc86952e7ff6f80249efa3a2b85 mbs1/x86_64/python-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
5968e570d367b5f1108ddfbb68919ecd mbs1/x86_64/ruby-svn-1.7.14-0.1.mbs1.x86_64.rpm
9409c0f3a3609e4828fbebf663305ee5 mbs1/x86_64/ruby-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
64a752059f681dad3d0eee9a08842574 mbs1/x86_64/subversion-1.7.14-0.1.mbs1.x86_64.rpm
9ac971374394757e942afd4f7e58735c mbs1/x86_64/subversion-devel-1.7.14-0.1.mbs1.x86_64.rpm
5c2675975cd738271399170583c1bc93 mbs1/x86_64/subversion-doc-1.7.14-0.1.mbs1.x86_64.rpm
4cfccaa84ed2fe9b6e2c2dee34b20c30 mbs1/x86_64/subversion-gnome-keyring-devel-1.7.14-0.1.mbs1.x86_64.rpm
12ab8392f8eeb1d803284e58554337af mbs1/x86_64/subversion-server-1.7.14-0.1.mbs1.x86_64.rpm
d5d76797698ab08ccffed5e75f89c317 mbs1/x86_64/subversion-tools-1.7.14-0.1.mbs1.x86_64.rpm
8573ae56f5f3289d2cce2c56d3f60f53 mbs1/x86_64/svn-javahl-1.7.14-0.1.mbs1.x86_64.rpm
f0dae800b549b3d4e40e7f7b497b37b6 mbs1/SRPMS/subversion-1.7.14-0.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSsEzymqjQ0CJFipgRAvIfAJ9DMlIqd+FYAkiAr13GioFFbiKO5wCglpaQ
eArXx+wROjIIeYmUpmpyvM0=
=L3Es
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists