On Mon, Oct 22, 2012 at 9:47 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> If he can reproduce this problem even with patches applied, please
> ask him to report this as a new security issue with a reproduction
> recipe included. Please see
> http://subversion.apache.org/docs/community-guide/issues.html#security
> for details on reporting security issues.
I'll pass that information along to him as soon as we're reasonably
certain that it's an actual issue. As you say, there are still a few
other things to check, especially inasmuch as the help desk
technicians here at NGS are not particularly familiar with open-source
software.
> Are you sure the Subversion upgrade was done properly?
I used Control Panel to uninstall the previous version, then I
downloaded and unZIPped the most current version. Is there anythin I
may have overlooked?
> Maybe the server
> is still using a vulnerable version of libsvn_delta by accident?
How do I check for that? (I am unfamiliar with this software because
I am not a developer. Please be patient with me... thanks.)
> How are you testing for this vulnerability?
Our security officer runs a scan remotely to locate risks. I am
uncertain which tool(s) he uses for this purpose. If you think it may
be pertinent, I can ask him. Are you thinking it might be a false
positive?
> As far as I know an exploit
> was circulated privately among developers for testing purposes but was
> never made public. Did you write a new exploit or do you happen to have
> a repository data set that triggers the problem reliably?
The NGS is a pretty small agency. I am uncertain as to the exact
number of Subversion users here, but it's going to be very small --
it's even possible that my current customer is the only one.
> Please do not post reproduction recipes for security issues to this
> list -- it is publicly archived. Instead, feel free to continue this
> conversation via channels documented at
> http://subversion.apache.org/docs/community-guide/issues.html#security
> if you have some sort of sensitive data to share with us. Thanks.
Understood.
--
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight_at_noaa.gov
Received on 2012-10-22 15:56:10 CEST