The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.

The remote Solaris system is missing necessary patches to address security updates :

  - The mod_dav_svn Apache HTTPD server module in Subversion     1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) via a PROPFIND request     for an activity URL. (CVE-2013-1849)

  - The is_this_legal function in mod_dontdothat for Apache     Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4     allows remote attackers to bypass intended access     restrictions and possibly cause a denial of service     (resource consumption) via a relative URL in a REPORT     request. (CVE-2013-4505)

This update fixes the following issues with subversion :

  - bnc#850747: update to 1.7.14

  - CVE-2013-4505: mod_dontdothat does not restrict requests     from serf clients.

  - CVE-2013-4558: mod_dav_svn assertion triggered by     autoversioning commits.

  + Client- and server-side bugfixes :

  - fix assertion on urls of the form 'file://./'

  + Client-side bugfixes :

  - upgrade: fix an assertion when used with pre-1.3 wcs

  - fix externals that point at redirected locations

  - diff: fix incorrect calculation of changes in some cases

  - diff: fix errors with added/deleted targets

  + Server-side bugfixes :

  - mod_dav_svn: Prevent crashes with some 3rd party modules

  - fix OOM on concurrent requests at threaded server start

  - fsfs: limit commit time of files with deep change     histories

  - mod_dav_svn: canonicalize paths properly

  + Other tool improvements and bugfixes :

  - mod_dontdothat: Fix the uri parser

  + Developer-visible changes :

  - javahl: canonicalize path for streamFileContent method

  + require python-sqlite when running regression tests

This update fixes the following issues with subversion (CVE-2013-4505,CVE-2013-4558) :

  - bnc#850747: update to 1.8.5

  - CVE-2013-4505: mod_dontdothat does not restrict requests     from serf clients.

  - CVE-2013-4558: mod_dav_svn assertion triggered by     autoversioning commits.

  + Client-side bugfixes :

  - fix externals that point at redirected locations

  - diff: fix assertion with move inside a copy

  + Server-side bugfixes :

  - mod_dav_svn: Prevent crashes with some 3rd party modules

  - mod_dav_svn: canonicalize paths properly

  - mod_authz_svn: fix crash of mod_authz_svn with invalid     config

  - hotcopy: fix hotcopy losing revprop files in packed     repos

  + Other tool improvements and bugfixes :

  - mod_dontdothat: Fix the uri parser

  + Developer-visible changes :

  - fix compilation with '--enable-optimize' with clang

  - add test to fail when built against broken ZLib

  + Bindings :

  - ctypes-python: build with compiler selected via     configure

  - require python-sqlite when running regression tests for     all targets, no longer pulled in implicitly

  - print error logs on regression test failures

  - fix regression tests for ppc/ppc64 architectures, found     in openSUSE package build and fixed with upstream     developers

  - if running regression tests, also run them against bdb     backend

  - update keyring, use Subversion Project Management     Committee keyring rather than all committers

New subversion packages are available for Slackware 14.0, 14.1, and
-current to fix denial-of-service issues.

This update includes the latest stable release of Apache Subversion 1.8, version 1.8.5. Two security fixes are included :

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat. (CVE-2013-4505)

When SVNAutoversioning is enabled via 'SVNAutoversioning on' commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.
(CVE-2013-4558)

Other fixes included in this update are as follows :

Client-side bugfixes :

  - fix externals that point at redirected locations

    - diff: fix assertion with move inside a copy

Server-side bugfixes :

  - mod_dav_svn: Prevent crashes with some 3rd party modules

    - mod_authz_svn: fix crash of mod_authz_svn with invalid       config

    - hotcopy: fix hotcopy losing revprop files in packed       repos

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.

The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.

The installed version of Subversion Server is affected by multiple denial of service vulnerabilities :

  - An error exists related to the 'mod_dontdothat' module     and handling relative URLs sent from serf-based     clients. (CVE-2013-4505)

  - An error exists related to the 'mod_dav_svn' module and     handling unspecified requests. Note that this issue     reportedly only affects the 1.7 and 1.8 branches,     including versions 1.7.11 through 1.7.13 and 1.8.1     through 1.8.4. (CVE-2013-4558)

Updated subversion package fixes security vulnerabilities :

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat (CVE-2013-4505).

When SVNAutoversioning is enabled via SVNAutoversioning on, commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort (CVE-2013-4558).

This update includes the latest stable release of Apache Subversion 1.7, version 1.7.14. Two security fixes are included :

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat. (CVE-2013-4505)

When SVNAutoversioning is enabled via 'SVNAutoversioning on' commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.
(CVE-2013-4558)

Other bug fixes included in this update are as follows :

Client- and server-side bugfixes :

  - fix assertion on urls of the form 'file://./'

Client-side bugfixes :

  - upgrade: fix an assertion when used with pre-1.3 wcs

    - fix externals that point at redirected locations

    - diff: fix incorrect calculation of changes in some       cases

    - diff: fix errors with added/deleted targets

Server-side bugfixes :

  - mod_dav_svn: Prevent crashes with some 3rd party modules

    - fix OOM on concurrent requests at threaded server       start

    - fsfs: limit commit time of files with deep change       histories

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Subversion Project reports :

mod_dontdothat does not restrict requests from serf based clients

mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat.

mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits

When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.

ID	Name	Product	Family	Severity
80777	Oracle Solaris Third-Party Patch Update : subversion (cve_2009_0179_denial_of1)	Nessus	Solaris Local Security Checks	medium
75226	openSUSE Security Update : subversion (openSUSE-SU-2013:1860-1)	Nessus	SuSE Local Security Checks	low
75223	openSUSE Security Update : subversion (openSUSE-SU-2013:1836-1)	Nessus	SuSE Local Security Checks	low
72731	Slackware 14.0 / 14.1 / current : subversion (SSA:2014-058-01)	Nessus	Slackware Local Security Checks	medium
71775	Fedora 20 : subversion-1.8.5-2.fc20 (2013-22575)	Nessus	Fedora Local Security Checks	low
71581	Amazon Linux AMI : subversion (ALAS-2013-269)	Nessus	Amazon Linux Local Security Checks	low
71569	Apache Subversion 1.4.x - 1.7.13 / 1.8.x < 1.8.5 Multiple DoS	Nessus	Windows	low
71508	Mandriva Linux Security Advisory : subversion (MDVSA-2013:288)	Nessus	Mandriva Local Security Checks	low
71327	Fedora 18 : subversion-1.7.14-1.fc18 (2013-22313)	Nessus	Fedora Local Security Checks	low
71326	Fedora 19 : subversion-1.7.14-1.fc19 (2013-22208)	Nessus	Fedora Local Security Checks	low
71088	FreeBSD : subversion -- multiple vulnerabilities (e3244a7b-5603-11e3-878d-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2013-4505

high

Tenable Plugins

medium

low

low

medium

low

low

low

low

low

low

low