Bug 11780 - subversion new security issues CVE-2013-4505 and CVE-2013-4558
: subversion new security issues CVE-2013-4505 and CVE-2013-4558
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/575369/
: advisory MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-26 17:14 CET by David Walser
Modified: 2013-12-02 16:47 CET (History)
4 users (show)

See Also:
Source RPM: subversion-1.7.13-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-11-26 17:14:27 CET
Upstream has released version 1.7.14 and 1.8.5, fixing two security issues:
https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E
https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FEB.1070508@apache.org%3E

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-11-26 17:23:33 CET
subversion-1.7.14-1.mga3 has been submitted.

someone has to submit subversion-1.8.5 in cauldron.
Comment 2 David Walser 2013-11-26 17:28:59 CET
Thanks Oden!  I sent a freeze push request for Cauldron.
Comment 3 David Walser 2013-11-28 16:39:20 CET
Still waiting for the freeze push in Cauldron.

Packages uploaded for Mageia 3 updates_testing:
subversion-1.7.14-1.mga3
subversion-doc-1.7.14-1.mga3
libsvn0-1.7.14-1.mga3
libsvn-gnome-keyring0-1.7.14-1.mga3
libsvn-kwallet0-1.7.14-1.mga3
subversion-server-1.7.14-1.mga3
subversion-tools-1.7.14-1.mga3
python-svn-1.7.14-1.mga3
ruby-svn-1.7.14-1.mga3
libsvnjavahl1-1.7.14-1.mga3
svn-javahl-1.7.14-1.mga3
perl-SVN-1.7.14-1.mga3
subversion-kwallet-devel-1.7.14-1.mga3
subversion-gnome-keyring-devel-1.7.14-1.mga3
perl-svn-devel-1.7.14-1.mga3
python-svn-devel-1.7.14-1.mga3
ruby-svn-devel-1.7.14-1.mga3
subversion-devel-1.7.14-1.mga3
apache-mod_dav_svn-1.7.14-1.mga3

from subversion-1.7.14-1.mga3.src.rpm
Comment 4 David Walser 2013-11-30 18:20:08 CET
subversion-1.8.5-1.mga4 uploaded for Cauldron.
Comment 5 David Walser 2013-11-30 18:34:44 CET
Advisory:
========================

Updated subversion packages fix security vulnerabilities:

mod_dontdothat allows you to block update REPORT requests against certain paths
in the repository.  It expects the paths in the REPORT request to be absolute
URLs.  Serf based clients send relative URLs instead of absolute URLs in many
cases.  As a result these clients are not blocked as configured by
mod_dontdothat (CVE-2013-4505).

When SVNAutoversioning is enabled via "SVNAutoversioning on", commits can be
made by single HTTP requests such as MKCOL and PUT.  If Subversion is built
with assertions enabled any such requests that have non-canonical URLs, such
as URLs with a trailing /, may trigger an assert.  An assert will cause the
Apache process to abort (CVE-2013-4558).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
http://subversion.apache.org/security/CVE-2013-4505-advisory.txt
http://subversion.apache.org/security/CVE-2013-4558-advisory.txt
https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.14-1.mga3
subversion-doc-1.7.14-1.mga3
libsvn0-1.7.14-1.mga3
libsvn-gnome-keyring0-1.7.14-1.mga3
libsvn-kwallet0-1.7.14-1.mga3
subversion-server-1.7.14-1.mga3
subversion-tools-1.7.14-1.mga3
python-svn-1.7.14-1.mga3
ruby-svn-1.7.14-1.mga3
libsvnjavahl1-1.7.14-1.mga3
svn-javahl-1.7.14-1.mga3
perl-SVN-1.7.14-1.mga3
subversion-kwallet-devel-1.7.14-1.mga3
subversion-gnome-keyring-devel-1.7.14-1.mga3
perl-svn-devel-1.7.14-1.mga3
python-svn-devel-1.7.14-1.mga3
ruby-svn-devel-1.7.14-1.mga3
subversion-devel-1.7.14-1.mga3
apache-mod_dav_svn-1.7.14-1.mga3

from subversion-1.7.14-1.mga3.src.rpm
Comment 6 Dave Hodgins 2013-11-30 19:07:53 CET
Advisory 11780.adv committed to svn
Comment 7 Dave Hodgins 2013-11-30 19:25:21 CET
Testing complete mageia 3 i586 and x86_64. Validating the update.

Someone from the sysadmin team, please push 11780.adv to updates.
Comment 8 Thomas Backlund 2013-11-30 22:48:12 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0360.html

Note You need to log in before you can comment on or make changes to this bug.