Debian DSA-3331-1 : subversion - security update

2015-08-1300:00:00

www.tenable.com

JSON

Several security issues have been found in the server components of the version control system subversion.

CVE-2015-3184 Subversion’s mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. This issue does not affect the oldstable distribution (wheezy) because it only contains Apache httpd 2.2.
CVE-2015-3187 Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.
When a node is copied from an unreadable location to a readable location the unreadable path may be revealed.
This vulnerablity only reveals the path, it does not reveal the contents of the path.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3331. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(85354);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2015-3184", "CVE-2015-3187");
  script_xref(name:"DSA", value:"3331");

  script_name(english:"Debian DSA-3331-1 : subversion - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several security issues have been found in the server components of
the version control system subversion.

  - CVE-2015-3184
    Subversion's mod_authz_svn does not properly restrict
    anonymous access in some mixed anonymous/authenticated
    environments when using Apache httpd 2.4. The result is
    that anonymous access may be possible to files for which
    only authenticated access should be possible. This issue
    does not affect the oldstable distribution (wheezy)
    because it only contains Apache httpd 2.2.

  - CVE-2015-3187
    Subversion servers, both httpd and svnserve, will reveal
    some paths that should be hidden by path-based authz.
    When a node is copied from an unreadable location to a
    readable location the unreadable path may be revealed.
    This vulnerablity only reveals the path, it does not
    reveal the contents of the path."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-3184"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-3187"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/subversion"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/subversion"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2015/dsa-3331"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the subversion packages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.6.17dfsg-4+deb7u10.

For the stable distribution (jessie), these problems have been fixed
in version 1.8.10-6+deb8u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:subversion");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"libapache2-svn", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-dev", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-doc", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-java", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-perl", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-ruby", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn-ruby1.8", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"libsvn1", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"python-subversion", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"subversion", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"7.0", prefix:"subversion-tools", reference:"1.6.17dfsg-4+deb7u10")) flag++;
if (deb_check(release:"8.0", prefix:"libapache2-mod-svn", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libapache2-svn", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn-dev", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn-doc", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn-java", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn-perl", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn-ruby1.8", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsvn1", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"python-subversion", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"ruby-svn", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"subversion", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"subversion-dbg", reference:"1.8.10-6+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"subversion-tools", reference:"1.8.10-6+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxsubversionp-cpe:/a:debian:debian_linux:subversion
debiandebian_linux7.0cpe:/o:debian:debian_linux:7.0
debiandebian_linux8.0cpe:/o:debian:debian_linux:8.0

Vendor	Product	Version	CPE
debian	debian_linux	subversion	p-cpe:/a:debian:debian_linux:subversion
debian	debian_linux	7.0	cpe:/o:debian:debian_linux:7.0
debian	debian_linux	8.0	cpe:/o:debian:debian_linux:8.0