[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Subversion 1.0.6 released. *SECURITY FIX*

From: Ben Reser <ben_at_reser.org>
Date: 2004-07-20 01:23:04 CEST

Subversion 1.0.6 is ready. Grab it from:

  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz
  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2

The MD5 checksums are:

  160c655194dff55f9fdd856110801d01 subversion-1.0.6.tar.gz
  bb05fe041fef7491b3555904d97f5e1c subversion-1.0.6.tar.bz2

PGP Signatures are available at:
   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz.asc
   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2.asc

PGP Signatures will be made by the following person(s) for this release:
   Ben Reser [1024D/641E358B] with fingerprint:
   42F5 91FD E577 F545 FB40 8F6B 7241 856B 641E 358B

This is likely the last bugfix release in the 1.0.x line.

Subversion versions up to and including 1.0.5 have a bug in
mod_authz_svn that allows users with write access to read
portions of the repository that they do not have read access
to. Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
vulnerable to this issue.

Details:
========

mod_authz_svn would allow a user to copy portions of a repo to which
they did not have read permissions to portions that they did have
read permissions on, thereby evading the read restrictions.

Severity:
=========

This is a low risk issue. Only sites running mod_authz_svn (an
Apache module) that are trying to restrict some of their users
with write access to a repo from reading part of that repo are
vulnerable.

Most installations will not fall into this category.
Additionally, any attempt to use such a vulnerability will be
apparent as the copy will be versioned. Plus, it's doubtful
any site would permit public write access to its repository
so this issue should not be accessible by unauthenticated users.

This vulnerability does not affect users running svnserve.

Workarounds:
============

* Disable DAV and use svnserve.

* Separate content into different repos.

* Disable the COPY method via Apache configuration. Note this will
  disallow all copies.

Recommendations:
================

We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.

Questions, comments, and bug reports to users_at_subversion.tigris.org.

Thanks,
-The Subversion Team

--------------------8-<-------cut-here---------8-<-----------------------

 User-visible-changes:
 * fixed: crash in status command, caused by race (r10144)
 * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
 * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
 * fixed: mod_authz_svn COPY security hole: authorize whole tree (issue #1949)

 Developer-visible changes:
 * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 20 01:24:10 2004

This is an archived mail posted to the Subversion Users mailing list.