[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.3 released. *SECURITY FIX*

From: Patrick Mayweg <mayweg_at_qint.de>
Date: 2004-05-19 14:07:48 CEST

The last version version of the javahl binding were build with an old
neon version. Therefore I made a new release, which can be downloaded from:
  
   
http://subversion.tigris.org/files/documents/15/13435/svn-win32-1.0.3_javahl_1.zip

The MD5 checksum is:

  4972d495df512a4c21fb4438e89a7c2a

Sorry for any inconvinience my error caused.
Patrick

Patrick Mayweg wrote:

> The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:
>
>
> http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip
>
>
> The MD5 checksum is:
>
> 3fdc12912ed891901f8014927ee0a465
>
> Patrick
>
> Ben Reser wrote:
>
>> Subversion 1.0.3 is ready. Grab it from:
>>
>> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
>>
>> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>>
>> The MD5 checksums are:
>>
>> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
>> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>>
>>
>> Subversion versions up to and including 1.0.2 have a buffer overflow in
>> the date parsing code.
>>
>> Both client and server are vulnerable. The server is vulnerable over
>> both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>> svn+ssh:// and other tunneled svn+*:// methods).
>>
>> Additionally, clients with shared working copies, or permissions that
>> allow files in the administrative area of the working copy to be
>> written by other users, are potentially exploitable.
>>
>> Severity:
>> =========
>>
>> Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>> Code Execution", depending upon how skilled the attacker is and the
>> ABI specifics of your platform.
>>
>> The server vulnerabilities can be triggered without write/commit access
>> to the repository. So repositories with anonymous/public read access
>> are vulnerable.
>>
>> Workarounds:
>> ============
>>
>> There are no workarounds except to disallow public access. Even then
>> you'd still be vulnerable to attack by someone who still has access
>> (perhaps you trust those people, though).
>>
>> Recommendations:
>> ================
>>
>> We recommend all users upgrade to 1.0.3.
>>
>> References:
>> ===========
>>
>> CAN-2004-0397: subversion sscanf stack overflow via revision date
>> in REPORT query
>>
>> Note:
>> =====
>>
>> There was a similar vulnerability in the Neon HTTP library up to and
>> including version 0.24.5. Because Subversion ships with Neon, we have
>> included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>> simultaneously. Subversion does not actually invoke the vulnerable code
>> in Neon; we are updating our copy of Neon simply as a reassuring
>> gesture, so people don't worry. See CAN-2004-0398 for details.
>>
>> Questions, comments, and bug reports to users_at_subversion.tigris.org.
>>
>> Thanks,
>> -The Subversion Team
>> --------------------8-<-------cut-here---------8-<-----------------------
>>
>>
>> User-visible-changes:
>> * fixed: security bug in date parsing. (CAN-2004-0397)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 19 16:28:20 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.