| Summary: | <dev-vcs/subversion-{1.7.16,1.8.8}: mod_dav_svn crash when handling certain requests with SVNListParentPath on (CVE-2014-0032) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | tommy |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1062042 | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
This issue is fixed in 1.7.16 (1.7.15 was never released) and 1.8.8 according to http://svn.apache.org/repos/asf/subversion/trunk/CHANGES @maintainers: is 1.8.8 or 1.8.9 ready for stabilization? I notice the latest 1.7.x series we have in tree is still 1.7.14. (In reply to Kristian Fiskerstrand from comment #1) > This issue is fixed in 1.7.16 (1.7.15 was never released) and 1.8.8 > according to http://svn.apache.org/repos/asf/subversion/trunk/CHANGES > > @maintainers: is 1.8.8 or 1.8.9 ready for stabilization? I notice the latest > 1.7.x series we have in tree is still 1.7.14. 1.7.17 was added on the first of june so should be ready for stabilization too Arches, please test and mark stable =dev-vcs/subversion-1.7.17 Targets: alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 CVE-2014-0032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0032): The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. Stable on alpha. stable arm64 arm stable Stable for HPPA. amd64 stable x86 stable ia64/sparc stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. older versions for the 1.7 series removed, latest one is now 1.7.17, which will be removed once stabilization for bug 519202 is done. Cleanup already done. GLSA Vote: No (In reply to Kristian Fiskerstrand from comment #15) > Cleanup already done. > > GLSA Vote: No Adding as GLSA to existing request 8cfee74a1 This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : A mod_dav_svn crash was reported when SVNListParentPath is on: http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6_wNzhEf7pWM=NiavGcobqvUuyhKyAA@mail.gmail.com%3E Certain requests could cause mod_dav_svn to crash. This has been corrected in version 1.7.15: https://svn.apache.org/repos/asf/subversion/branches/1.7.x/CHANGES Upstream fix for CVE-2014-0032: http://svn.apache.org/viewvc?view=revision&revision=r1557320 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.