Fedora 20 : subversion-1.8.10-1.fc20 (2014-9636)

2014-08-29T00:00:00
ID FEDORA_2014-9636.NASL
Type nessus
Reporter Tenable
Modified 2018-12-05T00:00:00

Description

This update includes the latest stable release of Apache Subversion, version 1.8.10.

Client-side bugfixes:

  • guard against md5 hash collisions when finding cached credentials

    • ra_serf: properly match wildcards in SSL certs.

    • ra_serf: ignore the CommonName in SSL certs where there are Subject Alt Names

    • ra_serf: fix a URI escaping bug that prevented deleting locked paths

    • rm: Display the proper URL when deleting a URL in the commit log editor

    • log: Fix another instance of broken pipe error

    • copy: Properly handle props not present or excluded on cross wc copy

    • copy: Fix copying parents of locally deleted nodes between wcs

    • externals: Properly delete ancestor directories of externals when removing the external by changing svn:externals.

    • ra_serf: fix memory lifetime of some hash values

Server-side bugfixes:

  • fsfs: omit config file when creating pre-1.5 format repos

Bindings:

  • ruby: removing warning about Ruby 1.9 support being new.

    • python: fix notify_func callbacks

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2014-9636.
#

include("compat.inc");

if (description)
{
  script_id(77428);
  script_version("1.4");
  script_cvs_date("Date: 2018/12/05 20:31:22");

  script_cve_id("CVE-2014-3522");
  script_bugtraq_id(69237);
  script_xref(name:"FEDORA", value:"2014-9636");

  script_name(english:"Fedora 20 : subversion-1.8.10-1.fc20 (2014-9636)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update includes the latest stable release of **Apache
Subversion**, version **1.8.10**.

**Client-side bugfixes:**

  - guard against md5 hash collisions when finding cached
    credentials

    - ra_serf: properly match wildcards in SSL certs.

    - ra_serf: ignore the CommonName in SSL certs where
      there are Subject Alt Names

    - ra_serf: fix a URI escaping bug that prevented
      deleting locked paths

    - rm: Display the proper URL when deleting a URL in the
      commit log editor

    - log: Fix another instance of broken pipe error

    - copy: Properly handle props not present or excluded on
      cross wc copy

    - copy: Fix copying parents of locally deleted nodes
      between wcs

    - externals: Properly delete ancestor directories of
      externals when removing the external by changing
      svn:externals.

    - ra_serf: fix memory lifetime of some hash values

**Server-side bugfixes:**

  - fsfs: omit config file when creating pre-1.5 format
    repos

**Bindings:**

  - ruby: removing warning about Ruby 1.9 support being new.

    - python: fix notify_func callbacks

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1125800"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1128884"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1129100"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137116.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?ede7be2c"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected subversion package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"subversion-1.8.10-1.fc20")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "subversion");
}