On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <vbruno165_at_gmail.com> wrote:
>
> Kindly help in resolving the below vulnerabilities
>
> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vbruno165_at_gmail.com> wrote:
>>
>> Hi Team,
>>
>> Our security team has raised below vulnerabilities in SVN.
>>
>> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.
This is not a vulnerability. It's a feature. Sessions using SSH keys
or credentials may be automated for continuous integration systems to
simultaneously permit dozens or hundreds of simultaneous sessions.
It's not a Subversion problem per se, it's built into the transport
mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or
the httpd daemon for mod_svn access. It's not built for
single-threaded operation, though I suppose with httpd you could set
it up that way.
>> 2.
>> Brute Force attack - user should be locked after 3 incorrect login attempts.
That's a back end authentication, typically built into the Kerberos
based authentication of tools like Active Directory or other LDAP and
Kerberos systems, not a Subversion issue which httpd and svnserve and
SSH access can use. I suggest that you find whoever is telling you to
resolve these issues and enroll them in some courses on how password
based authentication normally works.
>> Kindly help us in resolving the above vulnerabilities.
These are not Subversion issues. They are authentication back end
issues, most of them easily configured for a desired policy. Who is
calling these "vulnerabilities"? It's like saying that having a window
that opens is a vulnerability, it's how the systems normally work.
Nico Kadel-Garcia
>>
>> Regards,
>> Micheal
>> 8655557405
Received on 2020-09-23 08:56:34 CEST