[SECURITY] [DSA 3331-1] subversion security update

2015-08-1018:21:41

lists.debian.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Debian Security Advisory DSA-3331-1 [email protected]
https://www.debian.org/security/ Stefan Fritsch
August 10, 2015 https://www.debian.org/security/faq

Package : subversion
CVE ID : CVE-2015-3184 CVE-2015-3187

Several security issues have been found in the server components of the
version control system subversion.

CVE-2015-3184

Subversion&#x27;s mod_authz_svn does not properly restrict anonymous
access in some mixed anonymous/authenticated environments when
using Apache httpd 2.4.  The result is that anonymous access may
be possible to files for which only authenticated access should
be possible. This issue does not affect the oldstable distribution
(wheezy) because it only contains Apache httpd 2.2.

CVE-2015-3187

Subversion servers, both httpd and svnserve, will reveal some
paths that should be hidden by path-based authz.  When a node is
copied from an unreadable location to a readable location the
unreadable path may be revealed.  This vulnerablity only reveals
the path, it does not reveal the contents of the path.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.6.17dfsg-4+deb7u10.

For the stable distribution (jessie), these problems have been fixed in
version 1.8.10-6+deb8u1.

For the testing distribution (stretch), these problems will be fixed in
version 1.9.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0-1.

We recommend that you upgrade your subversion packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8amd64libapache2-mod-svn< 1.8.10-6+deb8u1libapache2-mod-svn_1.8.10-6+deb8u1_amd64.deb
Debian7armhflibsvn-java< 1.6.17dfsg-4+deb7u10libsvn-java_1.6.17dfsg-4+deb7u10_armhf.deb
Debian8i386libapache2-mod-svn< 1.8.10-6+deb8u1libapache2-mod-svn_1.8.10-6+deb8u1_i386.deb
Debian6i386subversion< 1.6.12dfsg-7+deb6u3subversion_1.6.12dfsg-7+deb6u3_i386.deb
Debian8arm64ruby-svn< 1.8.10-6+deb8u1ruby-svn_1.8.10-6+deb8u1_arm64.deb
Debian7sparclibapache2-svn< 1.6.17dfsg-4+deb7u10libapache2-svn_1.6.17dfsg-4+deb7u10_sparc.deb
Debian7s390xsubversion< 1.6.17dfsg-4+deb7u10subversion_1.6.17dfsg-4+deb7u10_s390x.deb
Debian8ppc64ellibapache2-mod-svn< 1.8.10-6+deb8u1libapache2-mod-svn_1.8.10-6+deb8u1_ppc64el.deb
Debian7ia64libsvn-perl< 1.6.17dfsg-4+deb7u10libsvn-perl_1.6.17dfsg-4+deb7u10_ia64.deb
Debian8mipsellibsvn-java< 1.8.10-6+deb8u1libsvn-java_1.8.10-6+deb8u1_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	amd64	libapache2-mod-svn	< 1.8.10-6+deb8u1	libapache2-mod-svn_1.8.10-6+deb8u1_amd64.deb
Debian	7	armhf	libsvn-java	< 1.6.17dfsg-4+deb7u10	libsvn-java_1.6.17dfsg-4+deb7u10_armhf.deb
Debian	8	i386	libapache2-mod-svn	< 1.8.10-6+deb8u1	libapache2-mod-svn_1.8.10-6+deb8u1_i386.deb
Debian	6	i386	subversion	< 1.6.12dfsg-7+deb6u3	subversion_1.6.12dfsg-7+deb6u3_i386.deb
Debian	8	arm64	ruby-svn	< 1.8.10-6+deb8u1	ruby-svn_1.8.10-6+deb8u1_arm64.deb
Debian	7	sparc	libapache2-svn	< 1.6.17dfsg-4+deb7u10	libapache2-svn_1.6.17dfsg-4+deb7u10_sparc.deb
Debian	7	s390x	subversion	< 1.6.17dfsg-4+deb7u10	subversion_1.6.17dfsg-4+deb7u10_s390x.deb
Debian	8	ppc64el	libapache2-mod-svn	< 1.8.10-6+deb8u1	libapache2-mod-svn_1.8.10-6+deb8u1_ppc64el.deb
Debian	7	ia64	libsvn-perl	< 1.6.17dfsg-4+deb7u10	libsvn-perl_1.6.17dfsg-4+deb7u10_ia64.deb
Debian	8	mipsel	libsvn-java	< 1.8.10-6+deb8u1	libsvn-java_1.8.10-6+deb8u1_mipsel.deb