Articles / SuSE: New subversion packag...

SuSE: New subversion packages fix remote denial of service

Patrick Lenz @scoop 27 Jul 2011 13:35 0

Subversion was updated to fix several security issues: The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources. The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system. The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. Remote attackers could crash an svn server by causing a NULL deref. Updated packages are available from download.opensuse.org.

  SUSE Security Update: subversion
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:0691-1
Rating:             important
References:         #676949 #688968 #698205 
Cross-References:   CVE-2011-0715 CVE-2011-1752 CVE-2011-1783
                   CVE-2011-1921
Affected Products:
                   SUSE Linux Enterprise Software Development Kit 11 SP1
______________________________________________________________________________

  An update that fixes four vulnerabilities is now available.

Description:


  Subversion was updated to fix several security issues:

  * CVE-2011-1752: The mod_dav_svn Apache HTTPD server
  module can be crashed though when asked to deliver
  baselined WebDAV resources.
  * CVE-2011-1783: The mod_dav_svn Apache HTTPD server
  module can trigger a loop which consumes all available
  memory on the system.
  * CVE-2011-1921: The mod_dav_svn Apache HTTPD server
  module may leak to remote users the file contents of files
  configured to be unreadable by those users.
  * CVE-2011-0715: Remote attackers could crash an svn
  server by causing a NULL deref

  Security Issue references:

  * CVE-2011-1752
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1752

  * CVE-2011-1783
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1783

  * CVE-2011-1921
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1921

  * CVE-2011-0715
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0715



Patch Instructions:

  To install this SUSE Security Update use YaST online_update.
  Alternatively you can run the command listed for your product:

  - SUSE Linux Enterprise Software Development Kit 11 SP1:

     zypper in -t patch sdksp1-subversion-4691

  To bring your system up-to-date, use "zypper patch".


Package List:

  - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64):

     subversion-1.5.7-0.10.1
     subversion-devel-1.5.7-0.10.1
     subversion-perl-1.5.7-0.10.1
     subversion-python-1.5.7-0.10.1
     subversion-server-1.5.7-0.10.1
     subversion-tools-1.5.7-0.10.1


References:

  http://support.novell.com/security/cve/CVE-2011-0715.html
  http://support.novell.com/security/cve/CVE-2011-1752.html
  http://support.novell.com/security/cve/CVE-2011-1783.html
  http://support.novell.com/security/cve/CVE-2011-1921.html
  https://bugzilla.novell.com/676949
  https://bugzilla.novell.com/688968
  https://bugzilla.novell.com/698205
  http://download.novell.com/patch/finder/?keywords=042ece1ed68574582bf41a46ffb91d01

Related projects

Screenshot

Project Spotlight

pkgtxt2db

A tool to convert Slackware PACKAGES.TXT to various databases formats.

Screenshot

Project Spotlight

PowerDNS Recursor

An advanced, high-performance, and secure recursing nameserver.