From ${URL} : It was found that Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs. This can lead to a DoS. There is a flaw in mod_dav_svn that improperly tries to process this request instead of rejecting it and results in an attempt to access invalid memory (NULL). Which results in the httpd process segfaulting and dying. How bad the impact of that is varies based upon the configuration of the httpd server. httpd servers using a prefork MPM will simply start a new process to replace the process that died. Servers using threaded MPMs may be processing other requests in the same process as the process that the attack causes to die. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. External Reference: http://seclists.org/fulldisclosure/2013/Mar/56
Old removed, @security, please add it to existing draft.
CVE-2013-1849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1849): The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL.
Updated existing GLSA.
This issue was resolved and addressed in GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml by GLSA coordinator Sean Amoss (ackle).
