CentOS ProjectCESA-2017:2480mod_dav_svn, subversion security update
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.129 Low
EPSS
Percentile
95.4%
CentOS Errata and Security Advisory CESA-2017:2480
Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.
Security Fix(es):
- A shell command injection flaw related to the handling of “svn+ssh” URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a “checkout” or “update” action on a malicious repository, or a legitimate repository containing a malicious commit. (CVE-2017-9800)
Red Hat would like to thank the Subversion Team for reporting this issue.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030954.html
Affected packages:
mod_dav_svn
subversion
subversion-devel
subversion-gnome
subversion-javahl
subversion-kde
subversion-libs
subversion-perl
subversion-python
subversion-ruby
subversion-tools
Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2480
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| CentOS | 7 | x86_64 | mod_dav_svn | < 1.7.14-11.el7_4 | mod_dav_svn-1.7.14-11.el7_4.x86_64.rpm |
| CentOS | 7 | i686 | subversion | < 1.7.14-11.el7_4 | subversion-1.7.14-11.el7_4.i686.rpm |
| CentOS | 7 | x86_64 | subversion | < 1.7.14-11.el7_4 | subversion-1.7.14-11.el7_4.x86_64.rpm |
| CentOS | 7 | i686 | subversion-devel | < 1.7.14-11.el7_4 | subversion-devel-1.7.14-11.el7_4.i686.rpm |
| CentOS | 7 | x86_64 | subversion-devel | < 1.7.14-11.el7_4 | subversion-devel-1.7.14-11.el7_4.x86_64.rpm |
| CentOS | 7 | i686 | subversion-gnome | < 1.7.14-11.el7_4 | subversion-gnome-1.7.14-11.el7_4.i686.rpm |
| CentOS | 7 | x86_64 | subversion-gnome | < 1.7.14-11.el7_4 | subversion-gnome-1.7.14-11.el7_4.x86_64.rpm |
| CentOS | 7 | i686 | subversion-javahl | < 1.7.14-11.el7_4 | subversion-javahl-1.7.14-11.el7_4.i686.rpm |
| CentOS | 7 | x86_64 | subversion-javahl | < 1.7.14-11.el7_4 | subversion-javahl-1.7.14-11.el7_4.x86_64.rpm |
| CentOS | 7 | i686 | subversion-kde | < 1.7.14-11.el7_4 | subversion-kde-1.7.14-11.el7_4.i686.rpm |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.129 Low
EPSS
Percentile
95.4%