This email is a confidential pre-notification for multiple security alerts for Subversion clients: * CVE-2014-3580 * CVE-2014-8108 Please *do not forward* any part of this mail to anyone. The public announcement is not until 15 December 2014 17:00 UTC, and we'd like to keep the information embargoed until then. You are receiving this mail because (we think) you distribute software that uses the Subversion libraries or that you host a Subversion installation used by a large number of users. We believe that you might want to have your software patched by the time these security holes are made public on 15 December. If you no longer maintain Subversion-related packages or hosting, please reply to this mail indicating who the appropriate contact would be for your organization. Below are the advisories, followed by patches to fix the problems. The Subversion patches apply to Subversion 1.7.18 and Subversion 1.8.10. Subversion 1.7.19 and 1.8.11 will will be published on 15 December, including the patches below, as well as other stability and bug fixes. You can get an advance copy of the source distribution here: https://dist.apache.org/repos/dist/dev/subversion/?p=7401 Here are the full advisories: {{{ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability with certain invalid REPORT requests. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a REPORT request for some invalid formatted special URIs. This can lead to a DoS. There are no known instances of this problem being exploited in the wild. Known vulnerable: ================= Subversion HTTPD servers 1.0.0 through 1.7.18 (inclusive) Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive) Known fixed: ============ Subversion 1.7.19 Subversion 1.8.11 Details: ======== Subversion's HTTP support is implemented as an interaction between mod_dav and mod_dav_svn. mod_dav asks mod_dav_svn to fill a resource struct when a request is made. When the resource doesn't exist in the repository the repository path is calculated as a NULL. Later mod_dav calls into mod_dav_svn to actually handle the request and Subversion attempts to use the repostiory path which is NULL, resulting in the SEGFAULT. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers are vulnerable. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.11. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No known workarounds are available. References: =========== CVE-2014-3580 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN Patches: ======== }}} {{{ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability for requests with no existant virtual transaction names. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a request for some invalid formatted special URIs. This can lead to a DoS. There are no known instances of this problem being exploited in the wild. Known vulnerable: ================= Subversion HTTPD servers 1.7.0 through 1.7.18 (inclusive) Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive) Known fixed: ============ Subversion 1.7.19 Subversion 1.8.11 Details: ======== Subversion 1.7.0 and newer added new protocol variant to the HTTP support. One of the changes in this new protocol was that the client no longer had to generate the UUID by which transactions would be referred to. However, there were circumstances where clients needed to provide their own names for transactions and so it has support for virtual transaction names. These transaction names are then mapped to the servers internal transaction id much as was done in the old protocol. New special URIs were provided to allow the client to access the transactions by these virtual transaction names. Making a request for a URI that refers to a non-existant virtual transaction name results in the lookup for the internal transaction id to be NULL. Subsequent uses of the transaction id do not properly validate that the id is valid and result in a SEGFAULT. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers that support the new protocol variant are vulnerable. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.11. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No known workarounds are available. References: =========== CVE-2014-8108 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN Patches: ======== }}}
Created attachment 391530 [details] Subversion Patches for CVE-2014-3580
Created attachment 391532 [details] Subversion Patches for CVE-2014-8108
This is now public via $URL.
+*subversion-1.8.11 (16 Dec 2014) + + 16 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -subversion-1.8.9.ebuild, + +subversion-1.8.11.ebuild, + -files/subversion-1.6.0-disable_linking_against_unneeded_libraries.patch, + -files/subversion-1.6.2-local_library_preloading.patch, + -files/subversion-1.6.3-kwallet_window.patch, + -files/subversion-1.7.6-kwallet.patch, + -files/subversion-1.7.6-revert-mod_dontdothat-move.patch, + -files/svnserve.initd: + Security bump (bug #532406). Removed old. + Arches please test and mark stable =dev-vcs/subversion-1.8.11 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Stable for HPPA.
Arches: Also please test and mark stable: dev-vcs/subversion-1.7.19 target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
amd64 stable
x86 stable
alpha stable
arm stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
+ 26 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> + -subversion-1.7.18.ebuild, -subversion-1.8.10.ebuild, + -subversion-1.8.10-r1.ebuild, -files/subversion-1.8.9-po_fixes.patch: + Removed vulnerable versions. +
CVE-2014-8108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8108): The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. CVE-2014-3580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3580): The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.
Thanks for you work, guys GLSA vote: no
NO too, closing.