On Mon, Oct 22, 2012 at 09:55:33AM -0400, Parrish Knight wrote:
> > Are you sure the Subversion upgrade was done properly?
>
> I used Control Panel to uninstall the previous version, then I
> downloaded and unZIPped the most current version. Is there anythin I
> may have overlooked?
That sounds fine. Maybe windows also needs a reboot to pick up newly
installed Subversion libraries, but maybe it doesn't (I'm not a
Windows expert).
> > Maybe the server
> > is still using a vulnerable version of libsvn_delta by accident?
>
> How do I check for that? (I am unfamiliar with this software because
> I am not a developer. Please be patient with me... thanks.)
You could check if you can still see a libsvn_delta-1.dll (or similarly
named file) left over from the old installation.
> > How are you testing for this vulnerability?
>
> Our security officer runs a scan remotely to locate risks. I am
> uncertain which tool(s) he uses for this purpose. If you think it may
> be pertinent, I can ask him. Are you thinking it might be a false
> positive?
Yes, that's possible and probably the first thing to check next.
What is this scan actually doing and trying to detect?
Just to make sure I got this right: You're not scanning a Subversion
server machine, but a Subversion client machine (a laptop), correct?
To detect the exploit in question it would have to try to remotely crash
the Subversion client or server using an exploit tailored towards this
specific vulnerability, crafting a custom svndiff data stream which
triggers a crash, and then somehow detect remotely whether the client
or server crashed because of this exploit.
I doubt a general-purpose scanning tool would have such sophisticated
exploit-specific checks built-in. So in this case I'd start out assuming
a false positive unless the opposite is proven.
Received on 2012-10-22 16:13:59 CEST