[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [CVE-2018-11803] Apache Subversion Denial of Service Vulnerability

From: <innnzzz6_at_hotmail.com>
Date: Mon, 28 Jan 2019 14:43:47 +0700

On 2019/01/23 03:55:14, Troy Curtis wrote:
> This is a security notification for Apache Subversion HTTP Servers:>
>
> CVE-2018-11803>
> Severity: Medium>
> Affected Versions: Apache Subversion 1.11.0, 1.10.0 to 1.10.3>
>
> Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 >
> to 1.10.3 will crash after dereferencing an uninitialized pointer if the >
> client omits the root path in a recursive directory listing operation. >
> This issue can be triggered by any client on Subversion repositories >
> configured for anonymous read access. If read access requires >
> authentication, a denial of service attack can only be performed by an >
> authenticated user.>
>
> The Subversion releases 1.10.4 and 1.11.1 contain the fixes for this >
> vulnerability and are available immediately at:>
>
> https://dist.apache.org/repos/dist/release/subversion/?p=32084>
>
> Additional details, including patches for 1.10.3 and 1.11.0 can be found at:>
>
> https://subversion.apache.org/security/CVE-2018-11803-advisory.txt>
>
> We encourage users of Subversion to upgrade to the latest appropriate >
> version as soon as reasonable.>
>
> Thanks,>
> - The Subversion Team>
>

Sent from my iPhone
Received on 2019-01-29 08:05:43 CET

This is an archived mail posted to the Subversion Users mailing list.