| Summary: | subversion new security issues CVE-2014-3580 and CVE-2014-8108 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/627315/ | ||
| Whiteboard: | has_procedure MGA4-64-OK MGA4-32-OK advisory | ||
| Source RPM: | subversion-1.8.10-6.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-17 17:52:35 CET
David Walser
2014-12-17 17:54:26 CET
Whiteboard:
(none) =>
MGA4TOO,
David Walser
2014-12-17 17:54:35 CET
Whiteboard:
MGA4TOO, =>
MGA4TOO Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated subversion packages fix security vulnerabilities: A NULL pointer dereference flaw was found in the way mod_dav_svn handled REPORT requests. A remote, unauthenticated attacker could use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580). A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs for virtual transaction names. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash (CVE-2014-8108). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108 http://subversion.apache.org/security/CVE-2014-3580-advisory.txt http://subversion.apache.org/security/CVE-2014-8108-advisory.txt https://bugzilla.redhat.com/show_bug.cgi?id=1174054 https://bugzilla.redhat.com/show_bug.cgi?id=1174057 ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.11-1.mga4 subversion-doc-1.8.11-1.mga4 libsvn0-1.8.11-1.mga4 libsvn-gnome-keyring0-1.8.11-1.mga4 libsvn-kwallet0-1.8.11-1.mga4 subversion-server-1.8.11-1.mga4 subversion-tools-1.8.11-1.mga4 python-svn-1.8.11-1.mga4 ruby-svn-1.8.11-1.mga4 libsvnjavahl1-1.8.11-1.mga4 svn-javahl-1.8.11-1.mga4 perl-SVN-1.8.11-1.mga4 subversion-kwallet-devel-1.8.11-1.mga4 subversion-gnome-keyring-devel-1.8.11-1.mga4 perl-svn-devel-1.8.11-1.mga4 python-svn-devel-1.8.11-1.mga4 ruby-svn-devel-1.8.11-1.mga4 subversion-devel-1.8.11-1.mga4 apache-mod_dav_svn-1.8.11-1.mga4 from subversion-1.8.11-1.mga4.src.rpm Severity:
normal =>
major Quoting Rémi from last time... There are bits of procedure here: https://bugs.mageia.org/show_bug.cgi?id=10895#c4 To follow that procedure, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one. Whiteboard:
(none) =>
has_procedure MGA4-32 on Acer D620, Trying to install from Core uo-pdates resting I get in MCC: Sorry, the following package cannot be selected: - subversion-kwallet-devel-1.8.11-1.mga4.i586 Is this essential to the issue? CC:
(none) =>
herman.viaene MGA44-64 on HP Probook 6555b No installation issues, but trying to repeat the procedure of Comment 2, throws a problem. At the CLI: svn import /home/xxxx/project/ file:///home/xxxx/svn/project svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found I tried svn import -m "Test update" /home/tester4/project/ file:///home/tester4/svn/project That seemed to do the trick. Checkin and checkout OK Then used su -l on second konsole tab to edit the subversion.conf file to refer to /home/xxxx/svn as SVN path and restart the httpd service, as I never use sudo Pointing Firefox to http://http://localhost/svn/repos results in Object not found ......Error 404 Subversion.conf file:
<IfModule mod_dav_svn.c>
#<Location /svn/repos>
# DAV svn
# SVNPath /home/xxxx/svn
#
# # Limit write permission to list of valid users.
# <LimitExcept GET PROPFIND OPTIONS REPORT>
# # Require SSL connection for password protection.
# # SSLRequireSSL
#
# AuthType Basic
# AuthName "Authorization Realm"
# AuthUserFile /path/to/passwdfile
# AuthzSVNAccessFile /path/to/access/file
# Require valid-user
# </LimitExcept>
#</Location>
</IfModule>
(In reply to Herman Viaene from comment #3) > MGA4-32 on Acer D620, > Trying to install from Core uo-pdates resting I get in MCC: > Sorry, the following package cannot be selected: > > - subversion-kwallet-devel-1.8.11-1.mga4.i586 > Is this essential to the issue? Why can't it be selected? (In reply to Herman Viaene from comment #5) > Subversion.conf file: > <IfModule mod_dav_svn.c> > > #<Location /svn/repos> > # DAV svn > # SVNPath /home/xxxx/svn > # > # # Limit write permission to list of valid users. > # <LimitExcept GET PROPFIND OPTIONS REPORT> > # # Require SSL connection for password protection. > # # SSLRequireSSL > # > # AuthType Basic > # AuthName "Authorization Realm" > # AuthUserFile /path/to/passwdfile > # AuthzSVNAccessFile /path/to/access/file > # Require valid-user > # </LimitExcept> > #</Location> > > </IfModule> It's commented out, that's why /svn/repos doesn't exist. On Comment 5 : for other ones not to make the same mistakes, the 3 lines <Location>, SVNPath and </Location> have to be effective (not commented out. Then the svn repos works OK Whiteboard:
has_procedure =>
has_procedure MGA4-64 OK (In reply to Herman Viaene from comment #7) > On Comment 5 : for other ones not to make the same mistakes, the 3 lines > <Location>, SVNPath and </Location> have to be effective (not commented out. > Then the svn repos works OK Four lines: forgot to mention DAV line On Comment 6 ref. Comment 3 I first updated in MCC the core updates testing and then tried again to install subversion-kwallet-devel-1.8.11-1.mga4.i586, and this time it drew in a whole bunch of dependencies. Oncce all packages installed, the test procedure runs OK. Note on this subversion-kwallet. I do this test on a Xfce machine, installing this pack drew in 266 dependencies, of which the large majority is KDE related (of course, it is "K"wallet). But am I right in thinking that svn and apache are not really depending on KDE????
Herman Viaene
2014-12-20 14:40:51 CET
Whiteboard:
has_procedure MGA4-64 OK =>
has_procedure MGA4-64 OK MGA4-32-OK LWN reference for CVE-2014-3580: http://lwn.net/Vulnerabilities/627315/ Nothing for CVE-2014-8108 yet. URL:
(none) =>
http://lwn.net/Vulnerabilities/627315/
claire robinson
2014-12-23 10:50:24 CET
Whiteboard:
has_procedure MGA4-64 OK MGA4-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK Validating, advisory uploaded. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0545.html Resolution:
(none) =>
FIXED LWN reference for CVE-2014-8108: http://lwn.net/Vulnerabilities/627592/ |