Bugzilla – Bug 1011552
VUL-1: CVE-2016-8734: subversion: Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://
Last modified: 2021-11-12 18:45:10 UTC
EMBARGOED Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// Summary: ======== Subversion's mod_dontdothat module and clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resources or memory. There are no known instances of this problem being exploited in the wild. The details for this vulnerability have been disclosed on the Subversion development mailing list. Known vulnerable: ================= mod_dontdothat 1.4.0 through 1.8.16 (inclusive) mod_dontdothat 1.9.0 through 1.9.4 (inclusive) Subversion clients 1.4.0 through 1.8.16 (inclusive) Subversion clients 1.9.0 through 1.9.4 (inclusive) Note: Subversion clients 1.4.0 through 1.7.22 can use either Serf or Neon as HTTP library. Among these versions, only clients using Serf are vulnerable. Known fixed: ============ Subversion 1.8.17 Subversion 1.9.5 Subversion clients not using http(s):// are not vulnerable Details: ======== The attack takes advantage of three properties of XML (substitution entities, nested entities, and inline DTDs) that allow preparing an XML bomb -- a small block of XML that can require a significant amount of CPU resources or memory to process. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository. If an attacker has control over HTTP responses sent to a Subversion client, he can cause denial-of-service conditions on the client by injecting the XML bomb into the response. Severity: ========= CVSSv2 Base Score: 3.5 CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P We consider this to be a medium risk vulnerability. While mod_dontdothat is not typically installed, server installations using it are vulnerable to authenticated attackers. The attack does not require read access to a particular repository. Servers which allow for anonymous reads will be vulnerable without authentication. The client side of this vulnerability might be exploited as well, but requires an attacker to have control over HTTP responses delivered to the client. Recommendations: ================ We recommend all users to upgrade to Subversion 1.9.5. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2016-8734 (Subversion) Reported by: ============ Florian Weimer, Red Hat, Inc. --------- trunk: https://svn.apache.org/r1770677 1.9.x: https://svn.apache.org/r1770679 1.8.x: https://svn.apache.org/r1770680 Public URL will be: https://subversion.apache.org/security/CVE-2016-8734-advisory.txt
CRD: 2016-11-29
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (1011552) was mentioned in https://build.opensuse.org/request/show/442781 Factory / subversion https://build.opensuse.org/request/show/442782 42.2 / subversion
Sumbissions hopefully done.
Public at http://subversion.apache.org/security/CVE-2016-8734-advisory.txt
openSUSE-SU-2016:3073-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1011552 CVE References: CVE-2016-8734 Sources used: openSUSE Leap 42.2 (src): subversion-1.9.5-3.2
SUSE-SU-2017:2163-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1011552,1051362 CVE References: CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Studio Onsite 1.3 (src): subversion-1.6.17-1.36.9.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): subversion-1.6.17-1.36.9.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): subversion-1.6.17-1.36.9.1
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1
released
This is an autogenerated message for OBS integration: This bug (1011552) was mentioned in https://build.opensuse.org/request/show/724598 Factory / subversion