[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.3 released. *SECURITY FIX*

From: Patrick Mayweg <mayweg_at_qint.de>
Date: 2004-05-19 13:04:56 CEST

The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:

  
http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip

The MD5 checksum is:

  3fdc12912ed891901f8014927ee0a465

Patrick

Ben Reser wrote:

>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed May 19 13:05:38 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.