Details inbound...
Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// Summary: ======== Subversion's mod_dontdothat module and clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resources or memory. There are no known instances of this problem being exploited in the wild. The details for this vulnerability have been disclosed on the Subversion development mailing list. Known vulnerable: ================= mod_dontdothat 1.4.0 through 1.8.16 (inclusive) mod_dontdothat 1.9.0 through 1.9.4 (inclusive) Subversion clients 1.4.0 through 1.8.16 (inclusive) Subversion clients 1.9.0 through 1.9.4 (inclusive) Note: Subversion clients 1.4.0 through 1.7.22 can use either Serf or Neon as HTTP library. Among these versions, only clients using Serf are vulnerable. Known fixed: ============ Subversion 1.8.17 Subversion 1.9.5 Subversion clients not using http(s):// are not vulnerable Details: ======== The attack takes advantage of three properties of XML (substitution entities, nested entities, and inline DTDs) that allow preparing an XML bomb -- a small block of XML that can require a significant amount of CPU resources or memory to process. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository. If an attacker has control over HTTP responses sent to a Subversion client, he can cause denial-of-service conditions on the client by injecting the XML bomb into the response. Severity: ========= CVSSv2 Base Score: 3.5 CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P We consider this to be a medium risk vulnerability. While mod_dontdothat is not typically installed, server installations using it are vulnerable to authenticated attackers. The attack does not require read access to a particular repository. Servers which allow for anonymous reads will be vulnerable without authentication. The client side of this vulnerability might be exploited as well, but requires an attacker to have control over HTTP responses delivered to the client. Recommendations: ================ We recommend all users to upgrade to Subversion 1.9.5. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2016-8734 (Subversion) Reported by: ============ Florian Weimer, Red Hat, Inc.
Created attachment 454034 [details, diff] 1.8.16 patch
Created attachment 454036 [details, diff] 1.9.4 patch
commit f41f37fe49472c2e0baa3811f04ed3fd5ffcaaff Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Nov 29 14:37:48 2016 dev-vcs/subversion: Sec bump to versions 1.8.17 and 1.9.5 (bug #600468). CVE-2016-8734 Package-Manager: portage-2.3.2
(In reply to Lars Wendler (Polynomial-C) from comment #4) > commit f41f37fe49472c2e0baa3811f04ed3fd5ffcaaff > Author: Lars Wendler <polynomial-c@gentoo.org> > Date: Tue Nov 29 14:37:48 2016 > > dev-vcs/subversion: Sec bump to versions 1.8.17 and 1.9.5 (bug #600468). > > CVE-2016-8734 > > Package-Manager: portage-2.3.2 Ready for stable?
Arches please test and mark stable the following two versions: =dev-vcs/subversion-1.8.17 =dev-vcs/subversion-1.9.5 Target KEYWORDS are: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
amd64 stable
x86 stable
Stable on alpha.
arm stable
sparc stable
ia64 stable
ppc stable
ppc64 stable
Stable for HPPA.
GLSA Vote: No @ Maintainer(s): Please cleanup an drop =dev-vcs/subversion-1.8.16 and =dev-vcs/subversion-1.9.4!
commit ce49f205ec6230ff2ffefebc6d865be9539170e4 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Jan 15 23:14:57 2017 dev-vcs/subversion: Security cleanup (bug #600468). Package-Manager: Portage-2.3.3, Repoman-2.3.1
Tree is clean