[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Apple's CVE-2014-1266 and Subversion

From: Ben Reser <ben_at_reser.org>
Date: Sat, 22 Feb 2014 12:02:10 -0800

Background for people that haven't heard:

Subversion on OS X is **NOT** vulnerable to this.

First of all the problem is in Apple's SecureTransport functionality. Neither
of our HTTP libraries, which we depend on to handle SSL for us, support Apple's
SecureTransport in any released version.

For neon clients (1.7.x and older, though 1.4.x and newer can be using serf as
well), neon only supports OpenSSL or GNUTLS.

For serf clients (1.8.x or newer, 1.4.x optionally at configure time, 1.5.x and
newer optionally at configure and run time configuration), serf only supports
OpenSSL at this time. There is work ongoing to enable SecureTransport and
other SSL implementations in Serf but it's unreleased.

You can check this by doing:
svn cat https://www.imperialviolet.org:1266

You should see an error about the SSL handshake or an error running context or
an error connecting to the repository or an error during SSL communication
(depending on Subversion version and HTTP Library version).

You can of course toggle between http library's with:
--config-option servers:global:http-library=serf
--config-option servers:global:http-library=neon

If you remove the port number and go to the default https port (which has a
well formed certificate and is not a demonstration of the bug), you'll still
get an error but it'll be about XML parsing because we got past the SSL session
startup and didn't like the response the server sent since it's not actually a
Subversion server on the other end.
Received on 2014-02-22 21:02:43 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.