Re: Security Problem in Neon 0.24.4 and earlier - impact on SVN?

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2004-04-20 21:26:53 CEST

On Mon, Apr 19, 2004 at 10:23:12AM -0700, Jonathan Leffler wrote:
> This was reported on the Full Disclosure mailing list - a vulnerability in
> a separate product but one which is using Neon 0.24.4 (which, according to
> my records, is what SVN 1.0.1 is using). How does it affect SVN - if at
> all?

It looks like the issue can only be triggered in commit paths in SVN,
not checkout paths, so: if you could be persuaded to make a commit to a
malicious server, said server could arrange for arbitrary code to be
executed on the client.

neon 0.24.5, which includes the fix for CAN-2004-0179, is bundled in
Subversion 1.0.2.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 20 21:45:12 2004

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: SIPfoundry projects on subversion"
Previous message: John Peacock: "Re: Possible way to support $Log$"
In reply to: Jonathan Leffler: "Security Problem in Neon 0.24.4 and earlier - impact on SVN?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]