[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Note from Vibin Bruno to your Facebook Page Subversion.

From: Mark Phippard <markphip_at_gmail.com>
Date: Tue, 22 Sep 2020 16:43:56 -0400

On Sun, Sep 20, 2020 at 4:44 PM Vibin Bruno <vbruno165_at_gmail.com> wrote:

> Hi Team,
> Our security team has raised below vulnerabilities in SVN.
> 1. Concurrent login allowed in SVN console - same user can login to the
> console same time using two machines.
> 2. Brute Force attack - user should be locked after 3 incorrect login
> attempts.
> Kindly help us in resolving the above vulnerabilities.

This is not the correct list to report these "problems".

SVN does not have a web user interface or console, so you are likely using
some other SVN management product and need to report this there. That said,
I would say both of these are more opinion and taste than vulnerabilities.
I manage a SVN related product called SVN Edge and I would not consider
"fixing" either of these issues if that is the product you are using. The
first one is just straight up not a problem and I would never entertain it
as one. The second one is somewhat a problem though "3" is an arbitrary
number and there are a lot of ways to deal with brute force login attempts.
For example, SVN Edge throttles the login attempts making it impractical to
brute force attack a password.

Mark Phippard
Received on 2020-09-22 22:44:17 CEST

This is an archived mail posted to the Subversion Users mailing list.