openSUSE Security Update : subversion (openSUSE-SU-2013:0687-1)

medium Nessus Plugin ID 74976

Synopsis

The remote openSUSE host is missing a security update.

Description

Subversion received minor version updates to fix remote triggerable vulnerabilities in mod_dav_svn which may result in denial of service.

On openSUSE 12.1 :

- update to 1.6.21 [bnc#813913], addressing remotely triggerable

+ CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

- further changes :

+ mod_dav_svn will omit some property values for activity urls

+ improve memory usage when committing properties in mod_dav_svn

+ fix mod_dav_svn runs pre-revprop-change twice

+ fixed: post-revprop-change errors cancel commit

+ improved logic in mod_dav_svn's implementation of lock.

+ fix a compatibility issue with g++ 4.7

On openSUSE 12.2 and 12.3 :

- update to 1.7.9 [bnc#813913], addressing remotely triggerable vulnerabilities in mod_dav_svn which may result in denial of service :

+ CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

+ CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT

- further changes :

+ Client-side bugfixes :

- improved error messages about svn:date and svn:author props.

- fix local_relpath assertion

- fix memory leak in `svn log` over svn://

- fix incorrect authz failure when using neon http library

- fix segfault when using kwallet

+ Server-side bugfixes :

- svnserve will log the replayed rev not the low-water rev.

- mod_dav_svn will omit some property values for activity urls

- fix an assertion in mod_dav_svn when acting as a proxy on /

- improve memory usage when committing properties in mod_dav_svn

- fix svnrdump to load dump files with non-LF line endings

- fix assertion when rep-cache is inaccessible

- improved logic in mod_dav_svn's implementation of lock.

- avoid executing unnecessary code in log with limit

- Developer-visible changes :

+ General :

- fix an assertion in dav_svn_get_repos_path() on Windows

- fix get-deps.sh to correctly download zlib

- doxygen docs will now ignore prefixes when producing the index

- fix get-deps.sh on freebsd

+ Bindings :

- javahl status api now respects the ignoreExternals boolean

- refresh subversion-no-build-date.patch for upstream source changes

Solution

Update the affected subversion packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=813913

https://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html

Plugin Details

Severity: Medium

ID: 74976

File Name: openSUSE-2013-345.nasl

Version: 1.6

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:subversion-bash-completion, p-cpe:/a:novell:opensuse:subversion-server, cpe:/o:novell:opensuse:12.1, p-cpe:/a:novell:opensuse:subversion-devel, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo, p-cpe:/a:novell:opensuse:subversion-python, p-cpe:/a:novell:opensuse:subversion-tools-debuginfo, p-cpe:/a:novell:opensuse:subversion-python-debuginfo, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion-perl, p-cpe:/a:novell:opensuse:subversion-debuginfo, p-cpe:/a:novell:opensuse:subversion-tools, p-cpe:/a:novell:opensuse:subversion-ruby, cpe:/o:novell:opensuse:12.3, cpe:/o:novell:opensuse:12.2, p-cpe:/a:novell:opensuse:subversion-perl-debuginfo, p-cpe:/a:novell:opensuse:subversion, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0, p-cpe:/a:novell:opensuse:subversion-debugsource, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0, p-cpe:/a:novell:opensuse:subversion-server-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 4/8/2013

Reference Information

CVE: CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849, CVE-2013-1884