====================================================== Name: CVE-2014-0032 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131203 Category: Reference: MLIST:[subversion-dev] 20140110 2 Re: Segfault in mod_dav_svn with repositories on / Reference: URL:http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3C52D328AB.8090502@reser.org%3E Reference: MLIST:[subversion-dev] 20140110 Re: Segfault in mod_dav_svn with repositories on / Reference: URL:http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3C871u0gqb0d.fsf@ntlworld.com%3E Reference: MLIST:[subversion-dev] 20140110 Sin mod_dav_svn with repositories on / Reference: URL:http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6_wNzhEf7pWM=NiavGcobqvUuyhKyAA@mail.gmail.com%3E Reference: CONFIRM:http://svn.apache.org/repos/asf/subversion/tags/1.7.15/CHANGES Reference: CONFIRM:http://svn.apache.org/repos/asf/subversion/tags/1.8.6/CHANGES Reference: CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1557320 Reference: BID:65434 Reference: URL:http://www.securityfocus.com/bid/65434 Reference: OSVDB:102927 Reference: URL:http://www.osvdb.org/102927 Reference: SECUNIA:56822 Reference: URL:http://secunia.com/advisories/56822 Reference: XF:apache-subversion-cve20140032-dos(90986) Reference: URL:http://xforce.iss.net/xforce/xfdb/90986 The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. Reproducible: Steps to Reproduce:
Thanks. So we can update Mageia 4 to 1.8.6 and Mageia 3 to 1.7.15. The Mageia 3 update will also fix Bug 12059 there.
Version: 3 => CauldronBlocks: (none) => 12059Summary: CVE-2014-0032: subversion - Segfault in mod_dav_svn with repositories on / => subversion - Segfault in mod_dav_svn with repositories on / (CVE-2014-0032)Whiteboard: (none) => MGA4TOO, MGA3TOO
Once 1.7.15 and 1.8.6 has been released.
Version: Cauldron => 3
CC: (none) => luigiwalserVersion: 3 => Cauldron
Oden has fixed this in Cauldron by updating to 1.8.8, which was announced here: https://mail-archives.apache.org/mod_mbox/subversion-dev/201402.mbox/%3C530633AC.2050507@apache.org%3E An updated 1.7.x version has not been announced yet. I've checked 1.8.8 into Mageia 4 SVN.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Advisory (Mageia 3): ======================== Updated subversion packages fix security vulnerability: The mod_dav_svn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via an OPTIONS request (CVE-2014-0032). The package has been patched to correct this issue. Additionally, the svnserve service was using the incorrect root directory for the repositories. This has also been corrected. The root directory is now defined in the /etc/sysconfig/svnserve file. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032 https://subversion.apache.org/security/CVE-2014-0032-advisory.txt https://mail-archives.apache.org/mod_mbox/subversion-dev/201402.mbox/%3C530633AC.2050507@apache.org%3E https://bugs.mageia.org/show_bug.cgi?id=12059 https://bugs.mageia.org/show_bug.cgi?id=12768 ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.14-1.1.mga3 subversion-doc-1.7.14-1.1.mga3 libsvn0-1.7.14-1.1.mga3 libsvn-gnome-keyring0-1.7.14-1.1.mga3 libsvn-kwallet0-1.7.14-1.1.mga3 subversion-server-1.7.14-1.1.mga3 subversion-tools-1.7.14-1.1.mga3 python-svn-1.7.14-1.1.mga3 ruby-svn-1.7.14-1.1.mga3 libsvnjavahl1-1.7.14-1.1.mga3 svn-javahl-1.7.14-1.1.mga3 perl-SVN-1.7.14-1.1.mga3 subversion-kwallet-devel-1.7.14-1.1.mga3 subversion-gnome-keyring-devel-1.7.14-1.1.mga3 perl-svn-devel-1.7.14-1.1.mga3 python-svn-devel-1.7.14-1.1.mga3 ruby-svn-devel-1.7.14-1.1.mga3 subversion-devel-1.7.14-1.1.mga3 apache-mod_dav_svn-1.7.14-1.1.mga3 from subversion-1.7.14-1.1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated subversion packages fix security vulnerability: The mod_dav_svn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via an OPTIONS request (CVE-2014-0032). The package has been updated to version 1.8.8, which fixes this issue, as well as several others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032 https://subversion.apache.org/security/CVE-2014-0032-advisory.txt https://mail-archives.apache.org/mod_mbox/subversion-dev/201402.mbox/%3C530633AC.2050507@apache.org%3E https://bugs.mageia.org/show_bug.cgi?id=12768 ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.8-1.mga4 subversion-doc-1.8.8-1.mga4 libsvn0-1.8.8-1.mga4 libsvn-gnome-keyring0-1.8.8-1.mga4 libsvn-kwallet0-1.8.8-1.mga4 subversion-server-1.8.8-1.mga4 subversion-tools-1.8.8-1.mga4 python-svn-1.8.8-1.mga4 ruby-svn-1.8.8-1.mga4 libsvnjavahl1-1.8.8-1.mga4 svn-javahl-1.8.8-1.mga4 perl-SVN-1.8.8-1.mga4 subversion-kwallet-devel-1.8.8-1.mga4 subversion-gnome-keyring-devel-1.8.8-1.mga4 perl-svn-devel-1.8.8-1.mga4 python-svn-devel-1.8.8-1.mga4 ruby-svn-devel-1.8.8-1.mga4 subversion-devel-1.8.8-1.mga4 apache-mod_dav_svn-1.8.8-1.mga4 from subversion-1.8.8-1.mga4.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => major
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10479#c5
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Tested on Mageia 4 x86_65. Here is the process # urpmi apache-mod_dav_svn # svnadmin create --fs-type fsfs /var/www/svn # cat /etc/httpd/conf/vhosts.d/svn.conf <location "/svn"> DAV svn SVNPath "/var/www/svn/" AuthType Basic AuthName "Your Subversion Repository" AuthUserFile "/var/www/svn/.dav_svn.passwd" Require valid-user </location> # service httpd restart create a user to use web access # htpasswd -c /var/www/svn/.dav_svn.passwd test checked it works ok: use a browser http://localhost/svn validated on Mageia4 x86_64
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Process applied also on Mageia 4 i586 - validated also
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok
Testing complete on Mageia 3 i586 using Anne's procedure.
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-ok mga4-32-ok
Testing complete mga3 64 Separate advisories uploaded 12768.mga3.adv & 12768.mga4.adv Validating. Could sysadmin please push to updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Mga3 update pushed: http://advisories.mageia.org/MGASA-2014-0104.html Mga4 update pushed: http://advisories.mageia.org/MGASA-2014-0105.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/588860/