[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

ssh vulnerability that has potential impacts to Subversion users

From: Ben Reser <ben_at_reser.org>
Date: Fri, 08 Nov 2013 14:29:20 -0800

OpenSSH released a fix for a memory corruption with AES-GCM ciphers in OpenSSH
6.2 and 6.3.

Their advisory is here:
http://www.openssh.com/txt/gcmrekey.adv

If you're using Subversion in a svn+ssh:// configuration that restrictions on
the command being run using the command field in the authorized_keys file it
may be possible to bypass this restriction.

This Subversion configuration is described in the SVN Book here:
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
Received on 2013-11-08 23:29:57 CET

This is an archived mail posted to the Subversion Users mailing list.