Bug 33285
| Summary: | subversion: Multiple issues (3.2) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
| Component: | Security updates | Assignee: | Daniel Tröder <troeder> |
| Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
| Severity: | normal | ||
| Priority: | P3 | CC: | gohmann, jmm, requate, walkenhorst |
| Version: | UCS 3.2 | Flags: | requate:
Patch_Available+
|
| Target Milestone: | UCS 3.2-7-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
|
Description
Moritz Muehlenhoff
Denial of service in mod_dav_svn (CVE-2014-0032) Credentials cached are only validated based on the MD5 hash (CVE-2014-3528) Denial of service in mod_dav_svn (CVE-2014-3580) * mod_dav_svn and svnserve: Denial of service via crafted parameter combinations (CVE-2015-0248) * mod_dav_svn: Spoofing of svn:author by remote authenticated users (CVE-2015-0251) Upstream Debian package version 1.6.12dfsg-7+deb6u3 additionally fixes * CVE-2015-3187: The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. These are now classified as minor: * CVE-2013-4277 (Minor issue, PID file not created by default) * CVE-2014-3528 (Minor issue) All other issues above are fixed in the latest upstream package. 1.6.12dfsg-7+deb6u3 was imported and built to scope errata3.2-7. YAML (r64103): 2015-09-30-subversion.yaml Tests: OK Advisory: OK |