Vulnerability in APR: CVE-2011-0419

From: Hyrum K Wright <hyrum_at_hyrumwright.org>
Date: Sat, 14 May 2011 11:27:34 +0000

To interested persons:

Apache Subversion uses the Apache Portable Runtime (APR) to provide
platform-specific and other utility services. APR announced the
availability of APR 1.4.4, which addresses CVE-2011-0419, a potential
unconstrained recursion bug in the apr_fnmatch(). An attacker could
potentially exploit this issue to cause the target machine to exhaust
stack memory or use excessive CPU. Prior to Subversion 1.6.16,
Subversion used the compromised function on untrusted data in
mod_dav_svn, exposing it to this flaw.

In Subversion 1.6.16, mod_dav_svn was changed to avoid the use of
apr_fnmatch(), eliminating this attack vector for Subversion. Thus,
Subversion systems are only vulnerable if they are running *both* APR
< 1.4.4 and Subversion < 1.6.16. It is recommended that users upgrade
one or both of these components as soon as is convenient.

To read more about the APR 1.4.4 release, see
http://www.apache.org/dist/apr/Announcement1.x.html

- The Subversion Team
Received on 2011-05-14 13:28:09 CEST

This message: [ Message body ]
Next message: Cate Bekensail: ".svn/entries format"
Previous message: Stefan Sperling: "Re: fsverify.py unable to fix invalid svndiff header"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]