Bug 16572

Summary: subversion new security issues CVE-2015-3184 and CVE-2015-3187
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/654148/
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK advisory
Source RPM: subversion-1.8.13-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 16075    

Description David Walser 2015-08-11 17:49:16 CEST 
Upstream has released version 1.8.14 on August 5:
http://svn.haxx.se/dev/archive-2015-08/0024.shtml
http://svn.apache.org/repos/asf/subversion/tags/1.8.14/CHANGES

It fixes two security issues.  Mageia 4 and Mageia 5 are affected.

Debian has issued an advisory for this on August 10:
https://lists.debian.org/debian-security-announce/2015/msg00229.html

The DSA will be posted here:
https://www.debian.org/security/2015/dsa-3331

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion's mod_authz_svn does not properly restrict anonymous access in some
mixed anonymous/authenticated environments when using Apache httpd 2.4.  The
result is that anonymous access may be possible to files for which only
authenticated access should be possible (CVE-2015-3184).

Subversion servers, both httpd and svnserve, will reveal some paths that
should be hidden by path-based authz.  When a node is copied from an
unreadable location to a readable location the unreadable path may be
revealed.  This vulnerablity only reveals the path, it does not reveal the
contents of the path (CVE-2015-3187).

This update also re-enables the java subpackage for the Mageia 5 subversion
package (mga#16075).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3187
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt
http://svn.haxx.se/dev/archive-2015-08/0024.shtml
http://svn.apache.org/repos/asf/subversion/tags/1.8.14/CHANGES
https://bugs.mageia.org/show_bug.cgi?id=16075
https://bugs.mageia.org/show_bug.cgi?id=16572
========================

Updated packages in core/updates_testing:
========================
subversion-1.8.14-1.mga4
subversion-doc-1.8.14-1.mga4
libsvn0-1.8.14-1.mga4
libsvn-gnome-keyring0-1.8.14-1.mga4
libsvn-kwallet0-1.8.14-1.mga4
subversion-server-1.8.14-1.mga4
subversion-tools-1.8.14-1.mga4
python-svn-1.8.14-1.mga4
ruby-svn-1.8.14-1.mga4
libsvnjavahl1-1.8.14-1.mga4
svn-javahl-1.8.14-1.mga4
perl-SVN-1.8.14-1.mga4
subversion-kwallet-devel-1.8.14-1.mga4
subversion-gnome-keyring-devel-1.8.14-1.mga4
perl-svn-devel-1.8.14-1.mga4
python-svn-devel-1.8.14-1.mga4
ruby-svn-devel-1.8.14-1.mga4
subversion-devel-1.8.14-1.mga4
apache-mod_dav_svn-1.8.14-1.mga4
subversion-1.8.14-1.mga5
subversion-doc-1.8.14-1.mga5
libsvn0-1.8.14-1.mga5
libsvn-gnome-keyring0-1.8.14-1.mga5
libsvn-kwallet0-1.8.14-1.mga5
subversion-server-1.8.14-1.mga5
subversion-tools-1.8.14-1.mga5
python-svn-1.8.14-1.mga5
ruby-svn-1.8.14-1.mga5
libsvnjavahl1-1.8.14-1.mga5
svn-javahl-1.8.14-1.mga5
perl-SVN-1.8.14-1.mga5
subversion-kwallet-devel-1.8.14-1.mga5
subversion-gnome-keyring-devel-1.8.14-1.mga5
perl-svn-devel-1.8.14-1.mga5
python-svn-devel-1.8.14-1.mga5
ruby-svn-devel-1.8.14-1.mga5
subversion-devel-1.8.14-1.mga5
apache-mod_dav_svn-1.8.14-1.mga5

from SRPMS:
subversion-1.8.14-1.mga4.src.rpm
subversion-1.8.14-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-08-11 17:49:49 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14826#c2

Blocks: (none) => 16075
Whiteboard: (none) => MGA4TOO has_procedure

David Walser 2015-08-11 18:17:46 CEST

URL: (none) => http://lwn.net/Vulnerabilities/654148/

Comment 2 Samuel Verschelde 2015-08-18 11:04:47 CEST 
(In reply to David Walser from comment #1)
> Testing procedure:
> https://bugs.mageia.org/show_bug.cgi?id=14826#c2

Note that in Mageia 4 we have to edit /etc/httpd/conf/conf.d/subversion.conf when following this procedure, not /etc/httpd/modules.d/something anymore.
Comment 3 Samuel Verschelde 2015-08-18 11:14:53 CEST 
Testing complete using the above procedure. David, I see in subversion's spec file that there is a test suite, but it's not run at build time. Do you know why?
Samuel Verschelde 2015-08-18 11:15:57 CEST

Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK

Comment 4 David Walser 2015-08-18 13:15:03 CEST 
(In reply to Samuel VERSCHELDE from comment #3)
> Testing complete using the above procedure. David, I see in subversion's
> spec file that there is a test suite, but it's not run at build time. Do you
> know why?

No.  I can try running it on the BS in Cauldron and see if it passes.
Comment 5 David Walser 2015-08-19 14:52:43 CEST 
(In reply to David Walser from comment #4)
> (In reply to Samuel VERSCHELDE from comment #3)
> > Testing complete using the above procedure. David, I see in subversion's
> > spec file that there is a test suite, but it's not run at build time. Do you
> > know why?
> 
> No.  I can try running it on the BS in Cauldron and see if it passes.

OK I just looked at this in the SPEC, and I think the comment right at the top answers your question as to why this isn't enabled:
echo "This can take quite some time to finish, so please be patient..."
echo "Don't be too surprised it the tests takes 30 minutes on a dual xeon machine..."

Also, I don't know how long it's been since anyone tried to run it, so all that mess of setting up the LD_LIBRARY_PATH may not even still be correct, and if it's still needed, it doesn't appear that the make check is really designed to actually be used.  Upstream should fix that for it to even be worth worrying about.
Comment 6 RĂ©mi Verschelde 2015-08-21 20:39:03 CEST 
Updated SVN on my Mageia 5 64bit and used it to upload the advisory. It's a bit light for a test and only covers subversion, lib64svn0 and perl-SVN, but since Stormi tested the full procedure on Mageia 4 already, I'll add an OK.

Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK advisory

Comment 7 Nicolas Salguero 2015-08-24 10:13:07 CEST 
Hi,

Regarding Bug 16075, I have tested the Mageia 5 update and, for me, all is ok now.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 8 Samuel Verschelde 2015-08-27 16:49:55 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-08-27 22:50:41 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0326.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED