[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion upgrade problem

From: Parrish Knight <parrish.knight_at_noaa.gov>
Date: Mon, 22 Oct 2012 09:55:33 -0400

On Mon, Oct 22, 2012 at 9:47 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> If he can reproduce this problem even with patches applied, please
> ask him to report this as a new security issue with a reproduction
> recipe included. Please see
> http://subversion.apache.org/docs/community-guide/issues.html#security
> for details on reporting security issues.

I'll pass that information along to him as soon as we're reasonably
certain that it's an actual issue. As you say, there are still a few
other things to check, especially inasmuch as the help desk
technicians here at NGS are not particularly familiar with open-source
software.

> Are you sure the Subversion upgrade was done properly?

I used Control Panel to uninstall the previous version, then I
downloaded and unZIPped the most current version. Is there anythin I
may have overlooked?

> Maybe the server
> is still using a vulnerable version of libsvn_delta by accident?

How do I check for that? (I am unfamiliar with this software because
I am not a developer. Please be patient with me... thanks.)

> How are you testing for this vulnerability?

Our security officer runs a scan remotely to locate risks. I am
uncertain which tool(s) he uses for this purpose. If you think it may
be pertinent, I can ask him. Are you thinking it might be a false
positive?

> As far as I know an exploit
> was circulated privately among developers for testing purposes but was
> never made public. Did you write a new exploit or do you happen to have
> a repository data set that triggers the problem reliably?

The NGS is a pretty small agency. I am uncertain as to the exact
number of Subversion users here, but it's going to be very small --
it's even possible that my current customer is the only one.

> Please do not post reproduction recipes for security issues to this
> list -- it is publicly archived. Instead, feel free to continue this
> conversation via channels documented at
> http://subversion.apache.org/docs/community-guide/issues.html#security
> if you have some sort of sensitive data to share with us. Thanks.

Understood.

-- 
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight_at_noaa.gov
Received on 2012-10-22 15:56:10 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.