Detections
Analytics

openSUSE Security Update : subversion (openSUSE-SU-2013:0687-1)

medium Nessus Plugin ID 74976

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

Subversion received minor version updates to fix remote triggerable vulnerabilities in mod_dav_svn which may result in denial of service.

On openSUSE 12.1 :

 - update to 1.6.21 [bnc#813913], addressing remotely triggerable

+ CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

 + CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

 + CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

 + CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

 - further changes :

 + mod_dav_svn will omit some property values for activity urls

 + improve memory usage when committing properties in mod_dav_svn

 + fix mod_dav_svn runs pre-revprop-change twice

 + fixed: post-revprop-change errors cancel commit

 + improved logic in mod_dav_svn's implementation of lock.

 + fix a compatibility issue with g++ 4.7

On openSUSE 12.2 and 12.3 :

 - update to 1.7.9 [bnc#813913], addressing remotely triggerable vulnerabilities in mod_dav_svn which may result in denial of service :

 + CVE-2013-1845: mod_dav_svn excessive memory usage from property changes

 + CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs

 + CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existent URLs

 + CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs

 + CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT

 - further changes :

 + Client-side bugfixes :

 - improved error messages about svn:date and svn:author props.

 - fix local_relpath assertion

 - fix memory leak in `svn log` over svn://

 - fix incorrect authz failure when using neon http library

 - fix segfault when using kwallet

 + Server-side bugfixes :

 - svnserve will log the replayed rev not the low-water rev.

 - mod_dav_svn will omit some property values for activity urls

 - fix an assertion in mod_dav_svn when acting as a proxy on /

 - improve memory usage when committing properties in mod_dav_svn

 - fix svnrdump to load dump files with non-LF line endings

 - fix assertion when rep-cache is inaccessible

 - improved logic in mod_dav_svn's implementation of lock.

 - avoid executing unnecessary code in log with limit

 - Developer-visible changes :

 + General :

 - fix an assertion in dav_svn_get_repos_path() on Windows

 - fix get-deps.sh to correctly download zlib

 - doxygen docs will now ignore prefixes when producing the index

 - fix get-deps.sh on freebsd

 + Bindings :

 - javahl status api now respects the ignoreExternals boolean

 - refresh subversion-no-build-date.patch for upstream source changes

Solution

Update the affected subversion packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=813913

https://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html

Plugin Details

Severity: Medium

ID: 74976

File Name: openSUSE-2013-345.nasl

Version: 1.6

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:subversion-server, p-cpe:/a:novell:opensuse:subversion-server-debuginfo, p-cpe:/a:novell:opensuse:subversion-tools, p-cpe:/a:novell:opensuse:subversion-tools-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0, p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo, p-cpe:/a:novell:opensuse:subversion, p-cpe:/a:novell:opensuse:subversion-bash-completion, p-cpe:/a:novell:opensuse:subversion-debuginfo, p-cpe:/a:novell:opensuse:subversion-debugsource, p-cpe:/a:novell:opensuse:subversion-devel, p-cpe:/a:novell:opensuse:subversion-perl, p-cpe:/a:novell:opensuse:subversion-perl-debuginfo, p-cpe:/a:novell:opensuse:subversion-python, p-cpe:/a:novell:opensuse:subversion-python-debuginfo, p-cpe:/a:novell:opensuse:subversion-ruby, p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 4/8/2013

Reference Information

CVE: CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849, CVE-2013-1884