Upstream has released 1.7.9 to fix several security issues: http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E Full changelog here: http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES Mageia 2 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
URL: (none) => http://lwn.net/Vulnerabilities/546161/
Updated packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated subversion packages fix security vulnerabilities: Excessive memory usage from property changes in mod_dav_svn in Subversion before 1.7.9 (CVE-2013-1845). Crashes on LOCK requests against activity URLs in mod_dav_svn in Subversion before 1.7.9 (CVE-2013-1846). Crashes on LOCK requests against non-existant URLs in mod_dav_svn in Subversion before 1.7.9 (CVE-2013-1847). Crashes on PROPFIND requests against activity URLs in mod_dav_svn in Subversion before 1.7.9 (CVE-2013-1849). Crashes on out of range limit in log REPORT requestin mod_dav_svn in Subversion before 1.7.9 (CVE-2013-1884). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884 http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.9-1.mga2 subversion-doc-1.7.9-1.mga2 libsvn0-1.7.9-1.mga2 libsvn-gnome-keyring0-1.7.9-1.mga2 libsvn-kwallet0-1.7.9-1.mga2 subversion-server-1.7.9-1.mga2 subversion-tools-1.7.9-1.mga2 python-svn-1.7.9-1.mga2 ruby-svn-1.7.9-1.mga2 libsvnjavahl1-1.7.9-1.mga2 svn-javahl-1.7.9-1.mga2 perl-SVN-1.7.9-1.mga2 subversion-kwallet-devel-1.7.9-1.mga2 subversion-gnome-keyring-devel-1.7.9-1.mga2 perl-svn-devel-1.7.9-1.mga2 python-svn-devel-1.7.9-1.mga2 ruby-svn-devel-1.7.9-1.mga2 subversion-devel-1.7.9-1.mga2 apache-mod_dav_svn-1.7.9-1.mga2 from subversion-1.7.9-1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Trying to get mod_dav_svn working. mkdir /var/www/uploads svnadmin create /var/www/uploads chown -R apache.apache /var/www/uploads chmod g+s /var/www/uploads edit /etc/httpd/modules.d/45_mod_dav.conf - uncomment the lines related to /var/www/uploads htdigest -c "/usr/user.passwd" DAV-upload admin edit /etc/httpd/modules.d/47_mod_authz_svn.conf Change location and SVNpath to /var/www/uploads AuthUserFile /usr/user.passwd Don't know what to put for AuthzSVNAccessFile If I try to access localhost/uploads, I'm getting a 403 status. Suggestions?
CC: (none) => davidwhodgins
Severity: normal => major
Some basic testing info in bug 6551 comment 6 and 7 (sorry Dave it doesn't help with mod_dav_svn)
Mandriva has issued an advisory for this today (April 26): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:153/ Oden, can you give us a hint on how to test mod_dav_svn so we can release this?
CC: (none) => oe
Here's an updated advisory, based on Oden's. Advisory: ======================== Updated subversion packages fix security vulnerabilities: Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1845). Subversion's mod_dav_svn Apache HTTPD server module will crash when a LOCK request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1846). Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1847). Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild, but the details of how to exploit it have been disclosed on the full disclosure mailing list (CVE-2013-1849). Subversion's mod_dav_svn Apache HTTPD server module will crash when a log REPORT request receives a limit that is out of the allowed range. This can lead to a DoS. There are no known instances of this problem being used as a DoS in the wild (CVE-2013-1884). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884 http://subversion.apache.org/security/CVE-2013-1845-advisory.txt http://subversion.apache.org/security/CVE-2013-1846-advisory.txt http://subversion.apache.org/security/CVE-2013-1847-advisory.txt http://subversion.apache.org/security/CVE-2013-1849-advisory.txt http://subversion.apache.org/security/CVE-2013-1884-advisory.txt http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.9-1.mga2 subversion-doc-1.7.9-1.mga2 libsvn0-1.7.9-1.mga2 libsvn-gnome-keyring0-1.7.9-1.mga2 libsvn-kwallet0-1.7.9-1.mga2 subversion-server-1.7.9-1.mga2 subversion-tools-1.7.9-1.mga2 python-svn-1.7.9-1.mga2 ruby-svn-1.7.9-1.mga2 libsvnjavahl1-1.7.9-1.mga2 svn-javahl-1.7.9-1.mga2 perl-SVN-1.7.9-1.mga2 subversion-kwallet-devel-1.7.9-1.mga2 subversion-gnome-keyring-devel-1.7.9-1.mga2 perl-svn-devel-1.7.9-1.mga2 python-svn-devel-1.7.9-1.mga2 ruby-svn-devel-1.7.9-1.mga2 subversion-devel-1.7.9-1.mga2 apache-mod_dav_svn-1.7.9-1.mga2 from subversion-1.7.9-1.mga2.src.rpm
Whoops, forgot to add MDV's advisory to the References. Advisory: ======================== Updated subversion packages fix security vulnerabilities: Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1845). Subversion's mod_dav_svn Apache HTTPD server module will crash when a LOCK request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1846). Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1847). Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild, but the details of how to exploit it have been disclosed on the full disclosure mailing list (CVE-2013-1849). Subversion's mod_dav_svn Apache HTTPD server module will crash when a log REPORT request receives a limit that is out of the allowed range. This can lead to a DoS. There are no known instances of this problem being used as a DoS in the wild (CVE-2013-1884). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884 http://subversion.apache.org/security/CVE-2013-1845-advisory.txt http://subversion.apache.org/security/CVE-2013-1846-advisory.txt http://subversion.apache.org/security/CVE-2013-1847-advisory.txt http://subversion.apache.org/security/CVE-2013-1849-advisory.txt http://subversion.apache.org/security/CVE-2013-1884-advisory.txt http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:153/ ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.9-1.mga2 subversion-doc-1.7.9-1.mga2 libsvn0-1.7.9-1.mga2 libsvn-gnome-keyring0-1.7.9-1.mga2 libsvn-kwallet0-1.7.9-1.mga2 subversion-server-1.7.9-1.mga2 subversion-tools-1.7.9-1.mga2 python-svn-1.7.9-1.mga2 ruby-svn-1.7.9-1.mga2 libsvnjavahl1-1.7.9-1.mga2 svn-javahl-1.7.9-1.mga2 perl-SVN-1.7.9-1.mga2 subversion-kwallet-devel-1.7.9-1.mga2 subversion-gnome-keyring-devel-1.7.9-1.mga2 perl-svn-devel-1.7.9-1.mga2 python-svn-devel-1.7.9-1.mga2 ruby-svn-devel-1.7.9-1.mga2 subversion-devel-1.7.9-1.mga2 apache-mod_dav_svn-1.7.9-1.mga2 from subversion-1.7.9-1.mga2.src.rpm
After adding Allow from 127.0.0.1 to the <Directory "/var/www/uploads"> section of /etc/httpd/modules.d/45_mod_dav.conf Trying to access http://localhost/uploads/ still returns a 403 status, but with the message You don't have permission to access the requested directory. There is either no index document or the directory is read-protected. No idea what I'm missing.
Testing complete mga2 64 I think you're just editing the wrong file Dave. Followed the tutorial here to create an svn repo at /home/claire/svn with something in it: http://maverick.inria.fr/~Xavier.Decoret/resources/svn/ Edited /etc/httpd/modules.d/46_mod_dav_svn.conf Ignored the bit about limiting to users and just changed this bit.. <Location /svn/repos> DAV svn SVNPath /home/claire/svn # # Limit write permission to list of valid users. # <LimitExcept GET PROPFIND OPTIONS REPORT> # # Require SSL connection for password protection. # # SSLRequireSSL # # AuthType Basic # AuthName "Authorization Realm" # AuthUserFile /absolute/path/to/passwdfile # Require valid-user # </LimitExcept> </Location> After that http://localhost/svn/repos shows the contents of the svn repo.
Whiteboard: (none) => has_procedure mga2-64-ok
Forgot to mention, I restarted httpd after editing the file.
Testing complete mga2 32 Validating Advisory & SRPM in comment 6 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0127
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED