Fedora 22 : subversion-1.8.15-1.fc22 (2015-6efa349a85)

high Nessus Plugin ID 89276

Synopsis

The remote Fedora host is missing a security update.

Description

This update includes the latest stable release of _Apache Subversion 1.8_, version **1.8.15**. This update fixes two security issues: *
**CVE-2015-3184**: Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4.
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt *
**CVE-2015-3187**: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz.
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt ### User- visible changes: #### Client-side bugfixes: * gpg-agent: fix crash with non- canonical $HOME * document svn:autoprops * cp: fix 'svn cp ^/A/D/H at 1 ^/A' to properly create A * resolve: improve conflict prompts for binary files * ls: improve performance of '-v' on tag directories * improved Sqlite 3.8.9 query performance regression on externals * fixed [issue 4580](http://subversion.tigris.org/issues/show_bug.cgi?id=4580): 'svn
-v st' on file externals reports '?' instead of user and revision after 'svn up' #### Client-side and server-side bugfixes: * fix a segfault with old style text delta #### Server-side bugfixes: * fsfs:
reduce memory allocation with Apache * mod_dav_svn: emit first log items as soon as possible * mod_dav_svn: use LimitXMLRequestBody for skel-encoded requests * mod_dav_svn: do not ignore skel parsing errors
* detect invalid svndiff data earlier * prevent possible repository corruption on power/disk failures * fixed [issue 4577](http://subversion.tigris.org/issues/show_bug.cgi?id=4577): Read error with nodes whose DELTA chain starts with a PLAIN rep * fixed [issue 4531](http://subversion.tigris.org/issues/show_bug.cgi?id=4531):
server-side copy (over dav) is slow and uses too much memory #### Bindings bugfixes: * swig: fix memory corruption in svn_client_copy_source_t ### Developer-visible changes: #### General:
* avoid failing some tests on versions of Python with a very old sqlite * fix Ruby tests so they don't use the users real configuration #### Bindings: * swig-pl: fix some stack memory problems

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected subversion package.

See Also

http://subversion.apache.org/security/CVE-2015-3184-advisory.txt

http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

http://subversion.tigris.org/issues/show_bug.cgi?id=4531

http://subversion.tigris.org/issues/show_bug.cgi?id=4577

http://subversion.tigris.org/issues/show_bug.cgi?id=4580

https://bugzilla.redhat.com/show_bug.cgi?id=1247249

https://bugzilla.redhat.com/show_bug.cgi?id=1289958

https://bugzilla.redhat.com/show_bug.cgi?id=1289959

http://www.nessus.org/u?d9de6dbe

Plugin Details

Severity: High

ID: 89276

File Name: fedora_2015-6efa349a85.nasl

Version: 2.4

Type: local

Agent: unix

Published: 3/4/2016

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:22, p-cpe:/a:fedoraproject:fedora:subversion

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2/29/2016

Reference Information

CVE: CVE-2015-3184, CVE-2015-5259, CVE-2015-5343