FreshPorts - VuXML

Subversion Project reports:

Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives an OPTIONS request against the server root and Subversion is configured to handle the server root and SVNListParentPath is on. This can lead to a DoS. There are no known instances of this problem being exploited in the wild, but the details of how to exploit it have been disclosed on the Subversion development mailing list.

ge 1.3.0 lt 1.7.16

ge 1.8.0 lt 1.8.8

ge 1.3.0 lt 1.7.16

ge 1.3.0 lt 1.7.16

In some situations, subversion metadata may be unexpectedly disclosed via WebDAV. A subversion advisory states:

mod_authz_svn, the Apache httpd module which does path-based authorization on Subversion repositories, is not correctly protecting all metadata on unreadable paths.

This security issue is not about revealing the contents of protected files: it only reveals metadata about protected areas such as paths and log messages. This may or may not be important to your organization, depending on how you're using path-based authorization, and the sensitivity of the metadata.

< 1.0.8

Subversion Project reports:

Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion on some requests made against a revision root. This can lead to a DoS. If assertions are disabled it will trigger a read overflow which may cause a SEGFAULT (or equivalent) or undefined behavior.

Commit access is required to exploit this.

ge 1.8.0 lt 1.8.1

ge 1.7.0 lt 1.7.11

Subversion project reports:

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed.

ge 1.10.0 lt 1.10.8

ge 1.11.0 lt 1.14.2

ge 1.10.0 lt 1.10.8

ge 1.11.0 lt 1.14.2

ge 1.10.0 lt 1.10.8

ge 1.10.0 lt 1.10.8

Subversion reports:

CVE-2015-3184:

Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4.

CVE-2015-3187:

Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.

ge 1.8.0 lt 1.8.14

ge 1.7.0 lt 1.7.21

Stefan Esser reports:

Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise.

NOTE: This vulnerability is similar to the date parsing issue that affected neon. However, it is a different and distinct bug.

< 1.0.2_1

Subversion team reports:

The script contrib/hook-scripts/check-mime-type.pl does not escape argv arguments to 'svnlook' that start with a hyphen. This could be used to cause 'svnlook', and hence check-mime-type.pl, to error out.

The script contrib/hook-scripts/svn-keyword-check.pl parses filenames from the output of 'svnlook changed' and passes them to a further shell command (equivalent to the 'system()' call of the C standard library) without escaping them. This could be used to run arbitrary shell commands in the context of the user whom the pre-commit script runs as (the user who owns the repository).

ge 1.7.0 lt 1.7.10

ge 1.2.0 lt 1.6.23

subversion team reports:

A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

An exploit has been tested.

ge 1.9.0 le 1.9.6

ge 1.0.0 le 1.8.18

ge 1.0.0 le 1.8.18

ge 1.9.0 le 1.9.6

Entry for CVE-2010-4539 says:

The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.

Entry for CVE-2010-4644 says:

Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command.

< 1.6.15

< 1.6.15

Subversion team reports:

If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt.

ge 1.7.0 lt 1.7.10

ge 1.1.0 lt 1.6.23

Subversion Project reports:

Using the Serf RA layer of Subversion for HTTPS uses the apr_fnmatch API to handle matching wildcards in certificate Common Names and Subject Alternate Names. However, apr_fnmatch is not designed for this purpose. Instead it is designed to behave like common shell globbing. In particular this means that '*' is not limited to a single label within a hostname (i.e. it will match '.'). But even further apr_fnmatch supports '?' and character classes (neither of which are part of the RFCs defining how certificate validation works).

Subversion stores cached credentials by an MD5 hash based on the URL and the authentication realm of the server the credentials are cached for. MD5 has been shown to be subject to chosen plaintext hash collisions. This means it may be possible to generate an authentication realm which results in the same MD5 hash for a different URL.

ge 1.0.0 lt 1.7.18

ge 1.0.0 lt 1.7.18

ge 1.0.0 lt 1.7.18

ge 1.8.0 lt 1.8.10

Subversion Project reports:

Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests.

Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers.

Subversion HTTP servers allow spoofing svn:author property values for new revisions.

ge 1.5.0 lt 1.7.20

ge 1.8.0 lt 1.8.13

ge 1.0.0 lt 1.7.20

ge 1.0.0 lt 1.7.20

ge 1.0.0 lt 1.7.20

ge 1.8.0 lt 1.8.13

The Apache Software Foundation reports:

The mod_dontdothat module of subversion and subversion clients using http(s):// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of resources. The attack is also known as the "billions of laughs attack."

< 1.8.17

< 1.9.5

Subversion team reports:

Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a LOCK request is made against activity URLs.

Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs.

Subversion's mod_dav_svn Apache HTTPD server module will crash when a log REPORT request receives a limit that is out of the allowed range.

ge 1.7.0 lt 1.7.9

ge 1.0.0 lt 1.6.21

A Subversion Security Advisory reports:

Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion.

Clients with commit access to a vulnerable server can cause a remote heap overflow; servers can cause a heap overflow on vulnerable clients that try to do a checkout or update.

This can lead to a DoS (an exploit has been tested) and to arbitrary code execution (no exploit tested, but the possibility is clear).

< 1.6.4

Subversion project reports:

svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string.

Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value.

This allows remote attackers to cause a denial of service.

ge 1.9.0 lt 1.9.4

ge 1.0.0 lt 1.8.15

ge 1.0.0 lt 1.8.15

Subversion team reports:

Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process.

ge 1.7.0 lt 1.7.10

ge 1.0.0 lt 1.6.23

Subversion Project reports:

Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser.

Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies.

ge 1.7.0 lt 1.7.22_1

ge 1.8.0 lt 1.8.15

ge 1.9.0 lt 1.9.3

ge 1.7.0 lt 1.7.22_1

ge 1.8.0 lt 1.8.15

ge 1.9.0 lt 1.9.3

Subversion team reports:

Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources.

This can lead to a DoS. An exploit has been tested, and tools or users have been observed triggering this problem in the wild.

Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server.

This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested.

Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.

There are no known instances of this problem being observed in the wild, but an exploit has been tested.

< 1.6.17

< 1.6.17

Subversion project reports:

Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive) are vulnerable to a remotely triggerable NULL-pointer dereference.

ge 1.6 le 1.6.15

ge 1.5 le 1.6.9

ge 1.6 le 1.6.15

ge 1.5 le 1.6.9

Subversion Project reports:

mod_dontdothat does not restrict requests from serf based clients

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat.

mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits

When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.

ge 1.4.0 lt 1.7.14

ge 1.8.0 lt 1.8.5

Subversion Project reports:

Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a REPORT request for some invalid formatted special URIs.

Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a request for some invalid formatted special URIs.

We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers are vulnerable.

ge 1.8.0 lt 1.8.11

ge 1.0.0 lt 1.7.19

ge 1.0.0 lt 1.7.19

ge 1.0.0 lt 1.7.19

ge 1.8.0 lt 1.8.11

Subversion Project reports:

svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. svnserve does not create a pid file by default.

All versions are only vulnerable when the --pid-file=ARG option is used.

ge 1.4.0 lt 1.6.23_2

ge 1.7.0 lt 1.7.13

ge 1.8.0 lt 1.8.3