[SECURITY] [DSA 3932-1] subversion security update

2017-08-1018:49:53

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA-3932-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
August 10, 2017 https://www.debian.org/security/faq

Package : subversion
CVE ID : CVE-2016-8734 CVE-2017-9800

Several problems were discovered in Subversion, a centralised version
control system.

CVE-2016-8734 (jessie only)

Subversion&#x27;s mod_dontdothat server module and Subversion clients
using http(s):// were vulnerable to a denial-of-service attack
caused by exponential XML entity expansion.

CVE-2017-9800

Joern Schneeweisz discovered that Subversion did not correctly
handle maliciously constructed svn+ssh:// URLs. This allowed an
attacker to run an arbitrary shell command, for instance via
svn:externals properties or when using &#x27;svnsync sync&#x27;.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.8.10-6+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.9.5-1+deb9u1.

We recommend that you upgrade your subversion packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8armelsubversion< 1.8.10-6+deb8u5subversion_1.8.10-6+deb8u5_armel.deb
Debian7alllibsvn-doc< 1.6.17dfsg-4+deb7u12libsvn-doc_1.6.17dfsg-4+deb7u12_all.deb
Debian9arm64libsvn-perl-dbgsym< 1.9.5-1+deb9u1libsvn-perl-dbgsym_1.9.5-1+deb9u1_arm64.deb
Debian9armelsubversion< 1.9.5-1+deb9u1subversion_1.9.5-1+deb9u1_armel.deb
Debian8powerpcruby-svn< 1.8.10-6+deb8u5ruby-svn_1.8.10-6+deb8u5_powerpc.deb
Debian9mipslibsvn-java-dbgsym< 1.9.5-1+deb9u1libsvn-java-dbgsym_1.9.5-1+deb9u1_mips.deb
Debian9armhfruby-svn-dbgsym< 1.9.5-1+deb9u1ruby-svn-dbgsym_1.9.5-1+deb9u1_armhf.deb
Debian9i386subversion< 1.9.5-1+deb9u1subversion_1.9.5-1+deb9u1_i386.deb
Debian8kfreebsd-i386libsvn-perl< 1.8.10-6+deb8u5libsvn-perl_1.8.10-6+deb8u5_kfreebsd-i386.deb
Debian8mipspython-subversion< 1.8.10-6+deb8u5python-subversion_1.8.10-6+deb8u5_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armel	subversion	< 1.8.10-6+deb8u5	subversion_1.8.10-6+deb8u5_armel.deb
Debian	7	all	libsvn-doc	< 1.6.17dfsg-4+deb7u12	libsvn-doc_1.6.17dfsg-4+deb7u12_all.deb
Debian	9	arm64	libsvn-perl-dbgsym	< 1.9.5-1+deb9u1	libsvn-perl-dbgsym_1.9.5-1+deb9u1_arm64.deb
Debian	9	armel	subversion	< 1.9.5-1+deb9u1	subversion_1.9.5-1+deb9u1_armel.deb
Debian	8	powerpc	ruby-svn	< 1.8.10-6+deb8u5	ruby-svn_1.8.10-6+deb8u5_powerpc.deb
Debian	9	mips	libsvn-java-dbgsym	< 1.9.5-1+deb9u1	libsvn-java-dbgsym_1.9.5-1+deb9u1_mips.deb
Debian	9	armhf	ruby-svn-dbgsym	< 1.9.5-1+deb9u1	ruby-svn-dbgsym_1.9.5-1+deb9u1_armhf.deb
Debian	9	i386	subversion	< 1.9.5-1+deb9u1	subversion_1.9.5-1+deb9u1_i386.deb
Debian	8	kfreebsd-i386	libsvn-perl	< 1.8.10-6+deb8u5	libsvn-perl_1.8.10-6+deb8u5_kfreebsd-i386.deb
Debian	8	mips	python-subversion	< 1.8.10-6+deb8u5	python-subversion_1.8.10-6+deb8u5_mips.deb