Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - subversion: Command injection through clients via malicious svn+ssh URLs (CVE-2017-9800)

  - Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite     arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file     option. (CVE-2013-4277)

  - Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL     and authentication realm to store cached credentials, which makes it easier for remote servers to obtain     the credentials via a crafted authentication realm. (CVE-2014-3528)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - subversion: Command injection through clients via malicious svn+ssh URLs (CVE-2017-9800)

  - Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite     arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file     option. (CVE-2013-4277)

  - The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x     before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass     intended access restrictions via a realm string that is a prefix of an expected repository realm string.
    (CVE-2016-2167)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This subversion update includes a security fix and several minor changes.

  - update to 1.7.13 [bnc#836245]

  - User-visible changes :

  - General

  - merge: fix bogus mergeinfo with conflicting file merges

  - diff: fix duplicated path component in '--summarize'     output

  - ra_serf: ignore case when checking certificate common     names

  - Server-side bugfixes :

  - svnserve: fix creation of pid files CVE-2013-4277

  - mod_dav_svn: better status codes for commit failures

  - mod_dav_svn: do not map requests to filesystem

  - Developer-visible changes :

  - General :

  - don't use uninitialized variable to produce an error     code

  - Bindings :

  - swig-pl: fix SVN::Client not honoring config file     settings

  - swig-pl & swig-py: disable unusable     svn_fs_set_warning_func

The version of Subversion Server installed on the remote host is prior to version 1.8.3. It is, therefore, affected by multiple symlink file overwrite vulnerabilities :

  - An error exists in the function 'handle_options' in the     file 'svnwcsub.py' that could allow a local attacker to     use a symlink attack to overwrite arbitrary files. Note     that this issue only affects the 1.8.x branch.
    (CVE-2013-4262)

  - An error exists in the function 'write_pid_file' that     could allow a local attacker to use a symlink attack to     overwrite arbitrary files. (CVE-2013-4277)

The remote host is affected by the vulnerability described in GLSA-201309-11 (Subversion: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Subversion. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition or obtain       sensitive information. A local attacker could escalate his privileges to       the user running svnserve.
  Workaround :

    There is no known workaround at this time.

Updated subversion package fixes security vulnerability :

svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. svnserve does not create a pid file by default (CVE-2013-4277).

New subversion packages are available for Slackware 14.0 and -current to fix a security issue.

This update includes the latest stable release of Apache Subversion 1.7, version 1.7.13. One security vulnerability is fixed in this update :

svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. svnserve does not create a pid file by default. (CVE-2013-4277)

Several bug fixes are also included :

  - merge: fix bogus mergeinfo with conflicting file merges

    - diff: fix duplicated path component in '--summarize'       output

    - mod_dav_svn: better status codes for commit failures

    - mod_dav_svn: do not map requests to filesystem

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Subversion Project reports :

svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. svnserve does not create a pid file by default.

All versions are only vulnerable when the --pid-file=ARG option is used.

ID	Name	Product	Family	Severity
199213	RHEL 5 : subversion (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199158	RHEL 6 : subversion (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
75143	openSUSE Security Update : subversion (openSUSE-SU-2013:1442-1)	Nessus	SuSE Local Security Checks	low
71568	Apache Subversion 1.4.x - 1.7.12 / 1.8.x < 1.8.3 Multiple Symlink File Overwrite Vulnerabilities	Nessus	Windows	low
70084	GLSA-201309-11 : Subversion: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69939	Mandriva Linux Security Advisory : subversion (MDVSA-2013:236)	Nessus	Mandriva Local Security Checks	low
69818	Slackware 14.0 / current : subversion (SSA:2013-251-01)	Nessus	Slackware Local Security Checks	low
69814	Fedora 19 : subversion-1.7.13-1.fc19 (2013-15717)	Nessus	Fedora Local Security Checks	low
69546	FreeBSD : svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack. (f8a913cc-1322-11e3-8ffa-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2013-4277

medium

Tenable Plugins

critical

critical

low

low

high

low

low

low

low