[ MDVSA-2013:288 ] subversion

2014-01-09T00:00:00
ID SECURITYVULNS:DOC:30208
Type securityvulns
Reporter Securityvulns
Modified 2014-01-09T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2013:288 http://www.mandriva.com/en/support/security/


Package : subversion Date : December 17, 2013 Affected: Business Server 1.0, Enterprise Server 5.0


Problem Description:

Updated subversion package fixes security vulnerabilities:

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat (CVE-2013-4505).

When SVNAutoversioning is enabled via SVNAutoversioning on, commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort (CVE-2013-4558).


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558 http://advisories.mageia.org/MGASA-2013-0360.html


Updated Packages:

Mandriva Enterprise Server 5: 1d62fa579ffae8bd706142dad45105da mes5/i586/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.i586.rpm 90d784c463acf8b78c1c691b2f30d6dd mes5/i586/libsvn0-1.7.14-0.1mdvmes5.2.i586.rpm c47b980a3ea89f15b8619d253d8f23f4 mes5/i586/libsvnjavahl1-1.7.14-0.1mdvmes5.2.i586.rpm 62a6b7850e09694fdfc0478a96e2642a mes5/i586/perl-SVN-1.7.14-0.1mdvmes5.2.i586.rpm a38c85d2badb6f099d1578d27c81ccb3 mes5/i586/perl-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm dbda83b4ca0fd7594357686a512a9366 mes5/i586/python-svn-1.7.14-0.1mdvmes5.2.i586.rpm 9f825413b80cf29fe2ba78a94f7d64bb mes5/i586/python-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm 308adec20a31c7dd0c6cf69c43624e81 mes5/i586/ruby-svn-1.7.14-0.1mdvmes5.2.i586.rpm 3158f991bd283c715954591bcad317c8 mes5/i586/ruby-svn-devel-1.7.14-0.1mdvmes5.2.i586.rpm 12692ba193dec95fff2f0d54a9dceb85 mes5/i586/subversion-1.7.14-0.1mdvmes5.2.i586.rpm 15dec4d935c6c0dcb27133d041d6f251 mes5/i586/subversion-devel-1.7.14-0.1mdvmes5.2.i586.rpm 6a244097644da7b883f4d9728859f54e mes5/i586/subversion-doc-1.7.14-0.1mdvmes5.2.i586.rpm 7c8e22b78d0e37af09e566fe84a6f72e mes5/i586/subversion-server-1.7.14-0.1mdvmes5.2.i586.rpm 42c72886b4f762de675423647fbd4d98 mes5/i586/subversion-tools-1.7.14-0.1mdvmes5.2.i586.rpm 5dc67eac926230ccf2cf8f6ad56ee711 mes5/i586/svn-javahl-1.7.14-0.1mdvmes5.2.i586.rpm 7201e07969effc89b5f05e14f02a3dbf mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64: 58344ddf6bdf2e082fc9eb9c370c1d6c mes5/x86_64/apache-mod_dav_svn-1.7.14-0.1mdvmes5.2.x86_64.rpm ba396e7cc6a0b57a60d4328bf9f4e4d2 mes5/x86_64/lib64svn0-1.7.14-0.1mdvmes5.2.x86_64.rpm 873f5a1f6aa95d2bf72696dbb871fefe mes5/x86_64/lib64svnjavahl1-1.7.14-0.1mdvmes5.2.x86_64.rpm 6fc320c4c8c01a1099cd6cdfaaf0a821 mes5/x86_64/perl-SVN-1.7.14-0.1mdvmes5.2.x86_64.rpm 69ddd7592494175520da5ad5341e1fc9 mes5/x86_64/perl-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm 9ee72e400941c6e6187116107da5899a mes5/x86_64/python-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm 1797db04f38985ef088ec2564b04029d mes5/x86_64/python-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm 18ee8cf84ee12d32f3a7419a03704316 mes5/x86_64/ruby-svn-1.7.14-0.1mdvmes5.2.x86_64.rpm 06c6c293e7f27f0747c1253a5906ff31 mes5/x86_64/ruby-svn-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm f797fd2bdb68d576bfea93bc03dc4a76 mes5/x86_64/subversion-1.7.14-0.1mdvmes5.2.x86_64.rpm 338eab05e30504debf272a51d72607c3 mes5/x86_64/subversion-devel-1.7.14-0.1mdvmes5.2.x86_64.rpm 74bac1ee842f300896bb58c017b39223 mes5/x86_64/subversion-doc-1.7.14-0.1mdvmes5.2.x86_64.rpm 25f6cd72c7fce5416af388218e221957 mes5/x86_64/subversion-server-1.7.14-0.1mdvmes5.2.x86_64.rpm 0ca18c4790cf3220833b68a0a04642b6 mes5/x86_64/subversion-tools-1.7.14-0.1mdvmes5.2.x86_64.rpm f36cf1106c787f0a1732e4f1b27d151a mes5/x86_64/svn-javahl-1.7.14-0.1mdvmes5.2.x86_64.rpm 7201e07969effc89b5f05e14f02a3dbf mes5/SRPMS/subversion-1.7.14-0.1mdvmes5.2.src.rpm

Mandriva Business Server 1/X86_64: 8eaa5477089468e118b8e3e37fdfa136 mbs1/x86_64/apache-mod_dav_svn-1.7.14-0.1.mbs1.x86_64.rpm 1e213dc581bfc397f250c0d830969cea mbs1/x86_64/lib64svn0-1.7.14-0.1.mbs1.x86_64.rpm 8bf03ee5f00dc27844b27887dd69874b mbs1/x86_64/lib64svn-gnome-keyring0-1.7.14-0.1.mbs1.x86_64.rpm a445a790fa679c1336a76455823a71f4 mbs1/x86_64/lib64svnjavahl1-1.7.14-0.1.mbs1.x86_64.rpm c72a3886afb0fd0b4442678fba184f7b mbs1/x86_64/perl-SVN-1.7.14-0.1.mbs1.x86_64.rpm 0ec8baf5d59f783eb597dc56b02eb443 mbs1/x86_64/perl-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm 75a468494a343b9ad30f50daf9ff8bae mbs1/x86_64/python-svn-1.7.14-0.1.mbs1.x86_64.rpm 6acf2fc86952e7ff6f80249efa3a2b85 mbs1/x86_64/python-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm 5968e570d367b5f1108ddfbb68919ecd mbs1/x86_64/ruby-svn-1.7.14-0.1.mbs1.x86_64.rpm 9409c0f3a3609e4828fbebf663305ee5 mbs1/x86_64/ruby-svn-devel-1.7.14-0.1.mbs1.x86_64.rpm 64a752059f681dad3d0eee9a08842574 mbs1/x86_64/subversion-1.7.14-0.1.mbs1.x86_64.rpm 9ac971374394757e942afd4f7e58735c mbs1/x86_64/subversion-devel-1.7.14-0.1.mbs1.x86_64.rpm 5c2675975cd738271399170583c1bc93 mbs1/x86_64/subversion-doc-1.7.14-0.1.mbs1.x86_64.rpm 4cfccaa84ed2fe9b6e2c2dee34b20c30 mbs1/x86_64/subversion-gnome-keyring-devel-1.7.14-0.1.mbs1.x86_64.rpm 12ab8392f8eeb1d803284e58554337af mbs1/x86_64/subversion-server-1.7.14-0.1.mbs1.x86_64.rpm d5d76797698ab08ccffed5e75f89c317 mbs1/x86_64/subversion-tools-1.7.14-0.1.mbs1.x86_64.rpm 8573ae56f5f3289d2cce2c56d3f60f53 mbs1/x86_64/svn-javahl-1.7.14-0.1.mbs1.x86_64.rpm f0dae800b549b3d4e40e7f7b497b37b6 mbs1/SRPMS/subversion-1.7.14-0.1.mbs1.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFSsEzymqjQ0CJFipgRAvIfAJ9DMlIqd+FYAkiAr13GioFFbiKO5wCglpaQ eArXx+wROjIIeYmUpmpyvM0= =L3Es -----END PGP SIGNATURE-----