[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Note from Vibin Bruno to your Facebook Page Subversion.

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Wed, 23 Sep 2020 02:56:12 -0400

On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <vbruno165_at_gmail.com> wrote:
> Kindly help in resolving the below vulnerabilities
> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vbruno165_at_gmail.com> wrote:
>> Hi Team,
>> Our security team has raised below vulnerabilities in SVN.
>> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

This is not a vulnerability. It's a feature. Sessions using SSH keys
or credentials may be automated for continuous integration systems to
simultaneously permit dozens or hundreds of simultaneous sessions.
It's not a Subversion problem per se, it's built into the transport
mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or
the httpd daemon for mod_svn access. It's not built for
single-threaded operation, though I suppose with httpd you could set
it up that way.

>> 2.
>> Brute Force attack - user should be locked after 3 incorrect login attempts.

That's a back end authentication, typically built into the Kerberos
based authentication of tools like Active Directory or other LDAP and
Kerberos systems, not a Subversion issue which httpd and svnserve and
SSH access can use. I suggest that you find whoever is telling you to
resolve these issues and enroll them in some courses on how password
based authentication normally works.

>> Kindly help us in resolving the above vulnerabilities.

These are not Subversion issues. They are authentication back end
issues, most of them easily configured for a desired policy. Who is
calling these "vulnerabilities"? It's like saying that having a window
that opens is a vulnerability, it's how the systems normally work.

Nico Kadel-Garcia

>> Regards,
>> Micheal
>> 8655557405
Received on 2020-09-23 08:56:34 CEST

This is an archived mail posted to the Subversion Users mailing list.