Re: Subversion upgrade problem

On Mon, Oct 22, 2012 at 10:13 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> You could check if you can still see a libsvn_delta-1.dll (or similarly
> named file) left over from the old installation.

The only "libsvn" files I find on search are in the Subversion 1.7.7
directory, so that doesn't appear to be the problem. I'm pretty sure
I already rebooted last week as part of this process, but just in case
my memory is playing tricks on me, I rebooted again this morning and
will do another search in a little while.

>> Are you thinking it might be a false positive?
>
> Yes, that's possible and probably the first thing to check next.

Our security officer uses the Nessus scanner from Tenable -- www.tenable.com .

> Just to make sure I got this right: You're not scanning a Subversion
> server machine, but a Subversion client machine (a laptop), correct?

Correct.

> To detect the exploit in question it would have to try to remotely crash
> the Subversion client or server using an exploit tailored towards this
> specific vulnerability, crafting a custom svndiff data stream which
> triggers a crash, and then somehow detect remotely whether the client
> or server crashed because of this exploit.
>
> I doubt a general-purpose scanning tool would have such sophisticated
> exploit-specific checks built-in. So in this case I'd start out assuming
> a false positive unless the opposite is proven.

OK, I'm cc'ing our security officer on this thread to bring him into
the discussion and let him know where we're going.

-- 
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight_at_noaa.gov