Bug 813913 - VUL-0: subversion: multiple remotely triggerable vulnerabilities in subversion mod_dav_svn may result in denial-of-service
VUL-0: subversion: multiple remotely triggerable vulnerabilities in subversio...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All openSUSE 12.3
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:52493
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-07 19:57 UTC by Andreas Stieger
Modified: 2013-06-10 10:07 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2013-04-07 19:57:22 UTC
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0

http://subversion.apache.org/security/
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvSTMLbn4q_KM3Ph2UOeSiPGhEK4%3DSvwEjaHW_GUGkYWPQ%40mail.gmail.com%3E

Apache Subversion 1.7.9 addresses the following security issues:

* CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
* CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
* CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs
* CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs
* CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request

Subversion 1.6.21 addresses four security issues:
* CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
* CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
* CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs
* CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

http://subversion.apache.org/security/CVE-2013-1845-advisory.txt
http://subversion.apache.org/security/CVE-2013-1846-advisory.txt
http://subversion.apache.org/security/CVE-2013-1847-advisory.txt
http://subversion.apache.org/security/CVE-2013-1849-advisory.txt
http://subversion.apache.org/security/CVE-2013-1884-advisory.txt

Reproducible: Always
Comment 1 Andreas Stieger 2013-04-07 21:37:05 UTC
Maintenance request: https://build.opensuse.org/request/show/163084
Comment 2 Bernhard Wiedemann 2013-04-07 22:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (813913) was mentioned in
https://build.opensuse.org/request/show/163081 Factory / subversion
Comment 3 Marcus Meissner 2013-04-08 07:24:01 UTC
thx for spotting!
Comment 4 Marcus Meissner 2013-04-08 10:46:16 UTC
i accepted the mr for openSUSE. -> SLE
Comment 5 Sebastian Krahmer 2013-04-16 08:26:20 UTC
Do we need SLE updates?
Comment 6 Swamp Workflow Management 2013-04-16 09:04:52 UTC
openSUSE-SU-2013:0687-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 813913
CVE References: CVE-2013-1845,CVE-2013-1846,CVE-2013-1847,CVE-2013-1849,CVE-2013-1884
Sources used:
openSUSE 12.3 (src):    subversion-1.7.9-2.4.1
openSUSE 12.2 (src):    subversion-1.7.9-4.12.1
openSUSE 12.1 (src):    subversion-1.6.21-2.17.1
Comment 7 Marcus Meissner 2013-04-16 09:13:00 UTC
i would say yes ... needs a swamp entry
Comment 8 Swamp Workflow Management 2013-04-16 11:35:44 UTC
The SWAMPID for this issue is 52135.
This issue was rated as moderate.
Please submit fixed packages until 2013-04-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 18 Vítězslav Čížek 2013-04-23 14:37:24 UTC
So my work here is done. Reassigning back to security-team.
Comment 19 Bernhard Wiedemann 2013-05-04 23:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (813913) was mentioned in
https://build.opensuse.org/request/show/174504 Maintenance /
Comment 24 Bernhard Wiedemann 2013-05-23 05:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (813913) was mentioned in
https://build.opensuse.org/request/show/176383 Evergreen:11.2 / subversion
Comment 25 Matthias Weckbecker 2013-05-27 14:02:33 UTC
released
Comment 26 Swamp Workflow Management 2013-05-27 16:56:32 UTC
Update released for: cvs2svn, subversion, subversion-debuginfo, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools, viewcvs
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 27 Swamp Workflow Management 2013-05-27 17:05:45 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
Comment 28 Swamp Workflow Management 2013-06-10 10:07:27 UTC
openSUSE-SU-2013:0932-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 710878,796050,813913
CVE References: CVE-2013-1845,CVE-2013-1846,CVE-2013-1847,CVE-2013-1849
Sources used:
openSUSE 11.4 (src):    subversion-1.6.21-47.1