[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security Problem in Neon 0.24.4 and earlier - impact on SVN?

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2004-04-20 21:26:53 CEST

On Mon, Apr 19, 2004 at 10:23:12AM -0700, Jonathan Leffler wrote:
> This was reported on the Full Disclosure mailing list - a vulnerability in
> a separate product but one which is using Neon 0.24.4 (which, according to
> my records, is what SVN 1.0.1 is using). How does it affect SVN - if at
> all?

It looks like the issue can only be triggered in commit paths in SVN,
not checkout paths, so: if you could be persuaded to make a commit to a
malicious server, said server could arrange for arbitrary code to be
executed on the client.

neon 0.24.5, which includes the fix for CAN-2004-0179, is bundled in
Subversion 1.0.2.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 20 21:45:12 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.