Summary: | <dev-vcs/subversion-{1.7.18,1.8.10}, <net-libs/serf-1.3.7: Man-in-the-middle vulnerability, hash collisions (CVE-2014-{3504,3522,3528}) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Reffett (RETIRED) <creffett> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | arfrever.fta, polynomial-c, proxy-maint, tommy | ||||||||
Priority: | Normal | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | B3 [glsa cve] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Chris Reffett (RETIRED)
2014-08-06 12:33:18 UTC
Created attachment 382376 [details, diff]
Subversion CVE-2014-2522 patch
Created attachment 382378 [details, diff]
Subversion CVE-2014-3528 patch
I am not sure why I am copied on this bug; I do not maintain the subversion package. Also, polynomial-c is listed as a maintainer but is not copied on this bug. (In reply to Mike Gilbert from comment #3) > I am not sure why I am copied on this bug; I do not maintain the subversion > package. > > Also, polynomial-c is listed as a maintainer but is not copied on this bug. This is obviously a mistake, I am un-CCing you. Please do not disclose this info, as said in first message. CCing Polynomial-C as he is marked as Subversion 1.8.* maintainer +*subversion-1.8.10 (12 Aug 2014) + + 12 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -subversion-1.8.8.ebuild, + +subversion-1.8.10.ebuild: + Security bump (bug #519202). Removed old. Added pkg_pretend which fails if + USE=test is set and an old version of this package is installed (bug + #516054). Don't run tests with USE=dso. + Arches please test and mark stable =dev-vcs/subversion-1.8.10 with target KEYWORDS: alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris What happened to 1.7.18? Is 1.7.* on its way out after stabilisation? Stable for HPPA. Wait, what happened to net-libs/serf? (In reply to Jeroen Roovers from comment #6) > What happened to 1.7.18? Is 1.7.* on its way out after stabilisation? i just missed this bug, 1.7.18 is now added to the tree. Arches, please test and stabilize =dev-vcs/subversion-1.7.18 target KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" amd64 stable x86 stable alpha/arm/arm64/ia64/sparc stable Readding arches back, cause they also need to stabilize net-libs/serf in this bug too. Arches, please test and mark stable =net-libs/serf-1.3.7 Target keywords: alpha arm arm64 hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. alpha/arm/arm64/ia64/sparc/x86 stable amd64 stable ppc stable CVE-2014-3528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3528): Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. CVE-2014-3522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3522): The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVE-2014-3504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3504): The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Deletion of <net-libs/serf-1.3.7 is potentially waiting for bug #488434 :( . Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes Blocker set for Bug #488434 Vulnerable <net-libs/serf-1.3.8 dropped. Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes, new request filed This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man). |