Summary: | <dev-vcs/subversion-1.6.17: Multiple Vulnerabilities (CVE-2011-{1752,1783,1921}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexanderyt, arfrever, moonwalker, nathan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://svn.haxx.se/dev/archive-2011-06/0030.shtml | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-05-28 17:41:26 UTC
Public as per $URL. Arfrever: ping *** Bug 370005 has been marked as a duplicate of this bug. *** CVE-2011-1921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1921): The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation. CVE-2011-1783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1783): The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data. CVE-2011-1752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1752): The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011. This security bug is almost 3 months old now with no sign of any action, is something holding this back? Looks to be a trivial upgrade from 1.6.16 to 1.6.17, probably just requires an ebuild version bump... (In reply to comment #4) > This security bug is almost 3 months old now with no sign of any action, is > something holding this back? Looks to be a trivial upgrade from 1.6.16 to > 1.6.17, probably just requires an ebuild version bump... The maintainer in charge of the ebuild is no longer a developer. My apologies, this is an unacceptable response time. I have taken maintainership of this ebuild, and plan to give it some much needed love in the near future. For now, the version bump is in place. +*subversion-1.6.17 (17 Aug 2011) + + 17 Aug 2011; Tony Vroon <chainsaw@gentoo.org> +subversion-1.6.17.ebuild, + metadata.xml: + Version bump for security bug #369065 by Tim Sammut. Took maintainership, + added use of base eclass and PATCHES bash array. EAPI 4 usage made impossible + by python eclass. Arches, please test & mark stable. A portage.internal & upstream.workaround warning from repoman are expected, these will be resolved in later ebuilds when the time pressure is off. amd64 ok amd64 done. Thanks Agostino ppc/ppc64 stable x86 stable Thanks Tony for giving this a nudge =) arm stable Stable for HPPA. alpha/ia64/s390/sh/sparc stable Thanks, everyone. Added to existing GLSA request. This issue was resolved and addressed in GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml by GLSA coordinator Sean Amoss (ackle). |