Lucene search

K
centosCentOS ProjectCESA-2009:1203
HistoryAug 11, 2009 - 9:17 p.m.

mod_dav_svn, subversion security update

2009-08-1121:17:40
CentOS Project
lists.centos.org
52

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

EPSS

0.037

Percentile

92.0%

CentOS Errata and Security Advisory CESA-2009:1203

Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes.

Matt Lewis, of Google, reported multiple heap overflow flaws in Subversion
(server and client) when parsing binary deltas. A malicious user with
commit access to a server could use these flaws to cause a heap overflow on
that server. A malicious server could use these flaws to cause a heap
overflow on a client when it attempts to checkout or update. These heap
overflows can result in a crash or, possibly, arbitrary code execution.
(CVE-2009-2411)

All Subversion users should upgrade to these updated packages, which
contain a backported patch to correct these issues. After installing the
updated packages, the Subversion server must be restarted for the update
to take effect: restart httpd if you are using mod_dav_svn, or restart
svnserve if it is used.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-August/078232.html
https://lists.centos.org/pipermail/centos-announce/2009-August/078233.html

Affected packages:
mod_dav_svn
subversion
subversion-devel
subversion-javahl
subversion-perl
subversion-ruby

Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1203

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

EPSS

0.037

Percentile

92.0%