[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Vulnerability in APR: CVE-2011-0419

From: Hyrum K Wright <hyrum_at_hyrumwright.org>
Date: Sat, 14 May 2011 11:27:34 +0000

To interested persons:

Apache Subversion uses the Apache Portable Runtime (APR) to provide
platform-specific and other utility services. APR announced the
availability of APR 1.4.4, which addresses CVE-2011-0419, a potential
unconstrained recursion bug in the apr_fnmatch(). An attacker could
potentially exploit this issue to cause the target machine to exhaust
stack memory or use excessive CPU. Prior to Subversion 1.6.16,
Subversion used the compromised function on untrusted data in
mod_dav_svn, exposing it to this flaw.

In Subversion 1.6.16, mod_dav_svn was changed to avoid the use of
apr_fnmatch(), eliminating this attack vector for Subversion. Thus,
Subversion systems are only vulnerable if they are running *both* APR
< 1.4.4 and Subversion < 1.6.16. It is recommended that users upgrade
one or both of these components as soon as is convenient.

To read more about the APR 1.4.4 release, see
http://www.apache.org/dist/apr/Announcement1.x.html

- The Subversion Team
Received on 2011-05-14 13:28:09 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.