lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1VsxKO-0004zT-Jo@titan.mandriva.com>
Date: Tue, 17 Dec 2013 17:17:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:288 ] subversion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:288
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : subversion
 Date    : December 17, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Updated subversion package fixes security vulnerabilities:
 
 mod_dontdothat allows you to block update REPORT requests against
 certain paths in the repository.  It expects the paths in the REPORT
 request to be absolute URLs.  Serf based clients send relative URLs
 instead of absolute URLs in many cases.  As a result these clients
 are not blocked as configured by mod_dontdothat (CVE-2013-4505).
 
 When SVNAutoversioning is enabled via SVNAutoversioning on,
 commits can be made by single HTTP requests such as MKCOL and PUT.
 If Subversion is built with assertions enabled any such requests
 that have non-canonical URLs, such  as URLs with a trailing /, may
 trigger an assert.  An assert will cause the Apache process to abort
 (CVE-2013-4558).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
 http://advisories.mageia.org/MGASA-2013-0360.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 1d62fa579ffae8bd706142dad45105da  mes5/i586/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.i586.rpm
 90d784c463acf8b78c1c691b2f30d6dd  mes5/i586/libsvn0-1.7.14-0.1mdvmes5.2.i586.rpm
 c47b980a3ea89f15b8619d253d8f23f4  mes5/i586/libsvnjavahl1-1.7.14-0.1mdvmes5.2.i586.rpm
 62a6b7850e09694fdfc0478a96e2642a  mes5/i586/perl-SVN-1.7.14-0.1mdvmes5.2.i586.rpm
 a38c85d2badb6f099d1578d27c81ccb3  mes5/i586/perl-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
 dbda83b4ca0fd7594357686a512a9366  mes5/i586/python-svn-1.7.14-0.1mdvmes5.2.i586.rpm
 9f825413b80cf29fe2ba78a94f7d64bb  mes5/i586/python-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
 308adec20a31c7dd0c6cf69c43624e81  mes5/i586/ruby-svn-1.7.14-0.1mdvmes5.2.i586.rpm
 3158f991bd283c715954591bcad317c8  mes5/i586/ruby-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm
 12692ba193dec95fff2f0d54a9dceb85  mes5/i586/subversion-1.7.14-0.1mdvmes5.2.i586.rpm
 15dec4d935c6c0dcb27133d041d6f251  mes5/i586/subversion-devel-1.7.14-0.1mdvmes5.2.i586.rpm
 6a244097644da7b883f4d9728859f54e  mes5/i586/subversion-doc-1.7.14-0.1mdvmes5.2.i586.rpm
 7c8e22b78d0e37af09e566fe84a6f72e  mes5/i586/subversion-server-1.7.14-0.1mdvmes5.2.i586.rpm
 42c72886b4f762de675423647fbd4d98  mes5/i586/subversion-tools-1.7.14-0.1mdvmes5.2.i586.rpm
 5dc67eac926230ccf2cf8f6ad56ee711  mes5/i586/svn-javahl-1.7.14-0.1mdvmes5.2.i586.rpm 
 7201e07969effc89b5f05e14f02a3dbf  mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 58344ddf6bdf2e082fc9eb9c370c1d6c  mes5/x86_64/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
 ba396e7cc6a0b57a60d4328bf9f4e4d2  mes5/x86_64/lib64svn0-1.7.14-0.1mdvmes5.2.x86_64.rpm
 873f5a1f6aa95d2bf72696dbb871fefe  mes5/x86_64/lib64svnjavahl1-1.7.14-0.1mdvmes5.2.x86_64.rpm
 6fc320c4c8c01a1099cd6cdfaaf0a821  mes5/x86_64/perl-SVN-1.7.14-0.1mdvmes5.2.x86_64.rpm
 69ddd7592494175520da5ad5341e1fc9  mes5/x86_64/perl-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
 9ee72e400941c6e6187116107da5899a  mes5/x86_64/python-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
 1797db04f38985ef088ec2564b04029d  mes5/x86_64/python-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
 18ee8cf84ee12d32f3a7419a03704316  mes5/x86_64/ruby-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm
 06c6c293e7f27f0747c1253a5906ff31  mes5/x86_64/ruby-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
 f797fd2bdb68d576bfea93bc03dc4a76  mes5/x86_64/subversion-1.7.14-0.1mdvmes5.2.x86_64.rpm
 338eab05e30504debf272a51d72607c3  mes5/x86_64/subversion-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm
 74bac1ee842f300896bb58c017b39223  mes5/x86_64/subversion-doc-1.7.14-0.1mdvmes5.2.x86_64.rpm
 25f6cd72c7fce5416af388218e221957  mes5/x86_64/subversion-server-1.7.14-0.1mdvmes5.2.x86_64.rpm
 0ca18c4790cf3220833b68a0a04642b6  mes5/x86_64/subversion-tools-1.7.14-0.1mdvmes5.2.x86_64.rpm
 f36cf1106c787f0a1732e4f1b27d151a  mes5/x86_64/svn-javahl-1.7.14-0.1mdvmes5.2.x86_64.rpm 
 7201e07969effc89b5f05e14f02a3dbf  mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 8eaa5477089468e118b8e3e37fdfa136  mbs1/x86_64/apache-mod_dav_svn-1.7.14-0.1.mbs1.x86_64.rpm
 1e213dc581bfc397f250c0d830969cea  mbs1/x86_64/lib64svn0-1.7.14-0.1.mbs1.x86_64.rpm
 8bf03ee5f00dc27844b27887dd69874b  mbs1/x86_64/lib64svn-gnome-keyring0-1.7.14-0.1.mbs1.x86_64.rpm
 a445a790fa679c1336a76455823a71f4  mbs1/x86_64/lib64svnjavahl1-1.7.14-0.1.mbs1.x86_64.rpm
 c72a3886afb0fd0b4442678fba184f7b  mbs1/x86_64/perl-SVN-1.7.14-0.1.mbs1.x86_64.rpm
 0ec8baf5d59f783eb597dc56b02eb443  mbs1/x86_64/perl-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
 75a468494a343b9ad30f50daf9ff8bae  mbs1/x86_64/python-svn-1.7.14-0.1.mbs1.x86_64.rpm
 6acf2fc86952e7ff6f80249efa3a2b85  mbs1/x86_64/python-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
 5968e570d367b5f1108ddfbb68919ecd  mbs1/x86_64/ruby-svn-1.7.14-0.1.mbs1.x86_64.rpm
 9409c0f3a3609e4828fbebf663305ee5  mbs1/x86_64/ruby-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm
 64a752059f681dad3d0eee9a08842574  mbs1/x86_64/subversion-1.7.14-0.1.mbs1.x86_64.rpm
 9ac971374394757e942afd4f7e58735c  mbs1/x86_64/subversion-devel-1.7.14-0.1.mbs1.x86_64.rpm
 5c2675975cd738271399170583c1bc93  mbs1/x86_64/subversion-doc-1.7.14-0.1.mbs1.x86_64.rpm
 4cfccaa84ed2fe9b6e2c2dee34b20c30  mbs1/x86_64/subversion-gnome-keyring-devel-1.7.14-0.1.mbs1.x86_64.rpm
 12ab8392f8eeb1d803284e58554337af  mbs1/x86_64/subversion-server-1.7.14-0.1.mbs1.x86_64.rpm
 d5d76797698ab08ccffed5e75f89c317  mbs1/x86_64/subversion-tools-1.7.14-0.1.mbs1.x86_64.rpm
 8573ae56f5f3289d2cce2c56d3f60f53  mbs1/x86_64/svn-javahl-1.7.14-0.1.mbs1.x86_64.rpm 
 f0dae800b549b3d4e40e7f7b497b37b6  mbs1/SRPMS/subversion-1.7.14-0.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFSsEzymqjQ0CJFipgRAvIfAJ9DMlIqd+FYAkiAr13GioFFbiKO5wCglpaQ
eArXx+wROjIIeYmUpmpyvM0=
=L3Es
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ