[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.3 released. *SECURITY FIX*

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-05-20 01:11:56 CEST

The Win32 binaries are now available:

    http://subversion.tigris.org/files/documents/15/13441/svn-win32-1.0.3.zip
    http://subversion.tigris.org/files/documents/15/13437/svn-win32-1.0.3_dev.zip
    http://subversion.tigris.org/files/documents/15/13438/svn-win32-1.0.3_pdb.zip
    http://subversion.tigris.org/files/documents/15/13439/svn-win32-1.0.3_py.zip

The MD5 checksums are:

    e7c0ab925a7f2e4711ab15f2ad214e6c *svn-win32-1.0.3.zip
    2a2e41f91c259744f2a67731749eecd4 *svn-win32-1.0.3_dev.zip
    be8e075fd68ee20ba8bb390cd824df82 *svn-win32-1.0.3_pdb.zip
    8041994dce562d1bd1bc85d6d2e74e3e *svn-win32-1.0.3_py.zip

-- Brane

Ben Reser wrote:

>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 20 01:12:28 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.