Hiya,
I also read there it said 'all versions before 1.0.5'... perhaps not those exact same words, don't feel like looking it up again; to me it reads like those problems have already been fixed. Therefore I'm not too concerned by SVN's mention on that list :-)
cheers,
--Tim
-----Original Message-----
From: Wadsworth, Eric (Contractor) [mailto:WADSWORE@fhu.disa.mil]
Sent: Tuesday, October 12, 2004 5:06 PM
To: 'kfogel@collab.net'; Jeremy Pereira
Cc: Subversion Users
Subject: RE: You know you've made it when...
It says:
============
Subversion is another version control system for Linux that is gaining
popularity. The project was started with an aim of designing a better system
than the CVS. A Subversion repository can be accessed via the "svn"
protocol, if the repository is running "svnserve". The svn server runs on
port 3690/tcp by default. The server contains the following vulnerabilities:
* A heap-based overflow that can be exploited by an unauthenticated attacker
to execute arbitrary code.
* A stack-based overflow that can be triggered by a specially crafted
get-dated-rev svn command. If the server is configured for anonymous access,
an unauthenticated attacker may exploit arbitrary code on the server.
Multiple exploits for this flaw have been posted to the Internet.
============
These are non-issues if you're using apache instead of svnserve, right?
****
**** --- Eric Wadsworth, 520-533-2749
****
> -----Original Message-----
> From: kfogel@collab.net [mailto:kfogel@collab.net]
> Sent: Monday, October 11, 2004 9:26 AM
> To: Jeremy Pereira
> Cc: Subversion Users
> Subject: Re: You know you've made it when...
>
>
> Jeremy Pereira <jeremyp@jeremyp.net> writes:
> > your software appears in the SANS institute's top 10 Unix
> > vulnerabilities.
> >
> > http://www.sans.org/top20/#u4
>
> Too bad CVS and Subversion are lumped together, and therefore both
> contribute to the position.
>
> Positions 1, 2, and 3, are BIND/DNS, Web Server, and Authentication
> (all authentication software!) respectively. In other words, by
> putting your computer on the Net, you're vulnerable :-).
>
> -Karl
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Oct 12 17:23:25 2004