From ${URL} : A possible MD5 collision issue was found in the way Subversion handled cached credentials. If an attacker could trick a victim into connecting to their Subversion server, they could send a specially-crafted realm string to the victim that could trigger an MD5 collision. This could lead to the Subversion client sending another realm's credentials to the attacker's server. Upstream patches: http://svn.apache.org/r1550691 http://svn.apache.org/r1550772 References: http://mail-archives.apache.org/mod_mbox/subversion-dev/201406.mbox/%3C53915FD8.7050600@reser.org%3E @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
(In reply to Agostino Sarubbo from comment #0) > From ${URL} : > > A possible MD5 collision issue was found in the way Subversion handled > cached credentials. If an > attacker could trick a victim into connecting to their Subversion server, > they could send a > specially-crafted realm string to the victim that could trigger an MD5 > collision. This could lead > to the Subversion client sending another realm's credentials to the > attacker's server. > > Upstream patches: > > http://svn.apache.org/r1550691 > http://svn.apache.org/r1550772 Full patchset present in >=dev-vcs/subversion-1.8.16. Added to existing GLSA.
This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man).
