Medium: subversion, mod_dav_svn

2017-02-06T18:00:00
ID ALAS-2017-794
Type amazon
Reporter Amazon
Modified 2017-02-06T18:00:00

Description

Issue Overview:

It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository.

Affected Packages:

subversion, mod_dav_svn

Issue Correction:
Run yum update subversion to update your system.
Run yum update mod_dav_svn to update your system.

New Packages:

i686:  
    mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.i686  
    mod_dav_svn-1.9.5-2.53.amzn1.i686  
    subversion-1.9.5-1.56.amzn1.i686  
    subversion-devel-1.9.5-1.56.amzn1.i686  
    mod24_dav_svn-1.9.5-1.56.amzn1.i686  
    subversion-ruby-1.9.5-1.56.amzn1.i686  
    subversion-perl-1.9.5-1.56.amzn1.i686  
    subversion-debuginfo-1.9.5-1.56.amzn1.i686  
    subversion-python27-1.9.5-1.56.amzn1.i686  
    subversion-javahl-1.9.5-1.56.amzn1.i686  
    subversion-libs-1.9.5-1.56.amzn1.i686  
    subversion-tools-1.9.5-1.56.amzn1.i686  
    subversion-python26-1.9.5-1.56.amzn1.i686

src:  
    mod_dav_svn-1.9.5-2.53.amzn1.src  
    subversion-1.9.5-1.56.amzn1.src

x86_64:  
    mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.x86_64  
    mod_dav_svn-1.9.5-2.53.amzn1.x86_64  
    subversion-libs-1.9.5-1.56.amzn1.x86_64  
    mod24_dav_svn-1.9.5-1.56.amzn1.x86_64  
    subversion-python26-1.9.5-1.56.amzn1.x86_64  
    subversion-ruby-1.9.5-1.56.amzn1.x86_64  
    subversion-1.9.5-1.56.amzn1.x86_64  
    subversion-perl-1.9.5-1.56.amzn1.x86_64  
    subversion-debuginfo-1.9.5-1.56.amzn1.x86_64  
    subversion-python27-1.9.5-1.56.amzn1.x86_64  
    subversion-devel-1.9.5-1.56.amzn1.x86_64  
    subversion-tools-1.9.5-1.56.amzn1.x86_64  
    subversion-javahl-1.9.5-1.56.amzn1.x86_64