[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Importance of Apache HTTP 2.2.25 Release to Subversion Admins

From: Ben Reser <breser_at_apache.org>
Date: Thu, 11 Jul 2013 15:11:45 -0700

As you may have seen on our announce mailing list yesterday, the
Apache HTTP Server Project released 2.2.25 yesterday.

This release includes a security fix that is important for Subversion
sites using mod_dav_svn to host their repositories. Specifically it
includes a fix for the following DoS issue:

   * SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by
     mod_dav_svn with the source href (sent as part of the request body
     as XML) pointing to a URI that is not configured for DAV will
     trigger a segfault.

Exploiting this vulnerability does require write access to the
repository, so it is a relatively low risk issue.

There are no known workarounds available, so the only way to resolve
this issue is to upgrade or patch the Apache HTTP server. Also note
that at this time there is no Apache HTTP 2.4.x release that includes
this fix. We anticipate that the HTTP project will release 2.4.5 soon
which we expect to include the fix for those using HTTP 2.4.x.

You can download the Apache HTTP 2.2.25 release from:

    http://httpd.apache.org/download.cgi
Received on 2013-07-12 00:12:40 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.