[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.3 released. *SECURITY FIX*

From: Patrick Mayweg <mayweg_at_qint.de>
Date: 2004-05-19 13:04:56 CEST

The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:


The MD5 checksum is:



Ben Reser wrote:

>Subversion 1.0.3 is ready. Grab it from:
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>The MD5 checksums are:
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>We recommend all users upgrade to 1.0.3.
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>-The Subversion Team
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 19 16:27:30 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.