Summary: | <dev-vcs/subversion-{1.7.19,1.8.11}: Two Denial of Service vulnerabilities (CVE-2014-{3580,8108}) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | polynomial-c, tommy | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E | ||||||||
Whiteboard: | B3 [noglsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Sean Amoss (RETIRED)
2014-12-13 02:24:01 UTC
Created attachment 391530 [details]
Subversion Patches for CVE-2014-3580
Created attachment 391532 [details]
Subversion Patches for CVE-2014-8108
This is now public via $URL. +*subversion-1.8.11 (16 Dec 2014) + + 16 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -subversion-1.8.9.ebuild, + +subversion-1.8.11.ebuild, + -files/subversion-1.6.0-disable_linking_against_unneeded_libraries.patch, + -files/subversion-1.6.2-local_library_preloading.patch, + -files/subversion-1.6.3-kwallet_window.patch, + -files/subversion-1.7.6-kwallet.patch, + -files/subversion-1.7.6-revert-mod_dontdothat-move.patch, + -files/svnserve.initd: + Security bump (bug #532406). Removed old. + Arches please test and mark stable =dev-vcs/subversion-1.8.11 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris Stable for HPPA. Arches: Also please test and mark stable: dev-vcs/subversion-1.7.19 target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" Stable for HPPA. amd64 stable x86 stable alpha stable arm stable ppc stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. + 26 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> + -subversion-1.7.18.ebuild, -subversion-1.8.10.ebuild, + -subversion-1.8.10-r1.ebuild, -files/subversion-1.8.9-po_fixes.patch: + Removed vulnerable versions. + CVE-2014-8108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8108): The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. CVE-2014-3580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3580): The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. Thanks for you work, guys GLSA vote: no NO too, closing. |