Apple's CVE-2014-1266 and Subversion

From: Ben Reser <ben_at_reser.org>
Date: Sat, 22 Feb 2014 12:02:10 -0800

Background for people that haven't heard:
https://www.imperialviolet.org/2014/02/22/applebug.html

Subversion on OS X is **NOT** vulnerable to this.

First of all the problem is in Apple's SecureTransport functionality. Neither
of our HTTP libraries, which we depend on to handle SSL for us, support Apple's
SecureTransport in any released version.

For neon clients (1.7.x and older, though 1.4.x and newer can be using serf as
well), neon only supports OpenSSL or GNUTLS.

For serf clients (1.8.x or newer, 1.4.x optionally at configure time, 1.5.x and
newer optionally at configure and run time configuration), serf only supports
OpenSSL at this time. There is work ongoing to enable SecureTransport and
other SSL implementations in Serf but it's unreleased.

You can check this by doing:
svn cat https://www.imperialviolet.org:1266

You should see an error about the SSL handshake or an error running context or
an error connecting to the repository or an error during SSL communication
(depending on Subversion version and HTTP Library version).

You can of course toggle between http library's with:
--config-option servers:global:http-library=serf
or
--config-option servers:global:http-library=neon

If you remove the port number and go to the default https port (which has a
well formed certificate and is not a demonstration of the bug), you'll still
get an error but it'll be about XML parsing because we got past the SSL session
startup and didn't like the response the server sent since it's not actually a
Subversion server on the other end.
Received on 2014-02-22 21:02:43 CET

This message: [ Message body ]
Next message: Stefan Fuhrmann: "Re: svn_rangelist_dup -> ptr_array_dup?"
Previous message: Stefan Fuhrmann: "Re: svnserve doesn't handle aborted authn"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]