From Mageia wiki
Jump to: navigation, search

MGASA-2013-0127

Date: May 2nd, 2013
Affected releases: 2
Media: Core


Description:
Updated subversion packages fix security vulnerabilities:

Subversion's mod_dav_svn Apache HTTPD server module will use excessive
amounts of memory when a large number of properties are set or deleted
on a node. This can lead to a DoS. There are no known instances of
this problem being observed in the wild (CVE-2013-1845).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a LOCK request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild (CVE-2013-1846).

Subversion's mod_dav_svn Apache HTTPD server module will crash in
some circumstances when a LOCK request is made against a non-existent
URL. This can lead to a DoS. There are no known instances of this
problem being observed in the wild (CVE-2013-1847).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a PROPFIND request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild, but the details of how to exploit it have been disclosed
on the full disclosure mailing list (CVE-2013-1849).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a log REPORT request receives a limit that is out of the allowed
range. This can lead to a DoS. There are no known instances of this
problem being used as a DoS in the wild (CVE-2013-1884).


Updated Packages:
i586:
apache-mod_dav_svn-1.7.9-1.mga2.i586.rpm
libsvn0-1.7.9-1.mga2.i586.rpm
libsvn-gnome-keyring0-1.7.9-1.mga2.i586.rpm
libsvnjavahl1-1.7.9-1.mga2.i586.rpm
libsvn-kwallet0-1.7.9-1.mga2.i586.rpm
perl-SVN-1.7.9-1.mga2.i586.rpm
perl-svn-devel-1.7.9-1.mga2.i586.rpm
python-svn-1.7.9-1.mga2.i586.rpm
python-svn-devel-1.7.9-1.mga2.i586.rpm
ruby-svn-1.7.9-1.mga2.i586.rpm
ruby-svn-devel-1.7.9-1.mga2.i586.rpm
subversion-1.7.9-1.mga2.i586.rpm
subversion-devel-1.7.9-1.mga2.i586.rpm
subversion-doc-1.7.9-1.mga2.i586.rpm
subversion-gnome-keyring-devel-1.7.9-1.mga2.i586.rpm
subversion-kwallet-devel-1.7.9-1.mga2.i586.rpm
subversion-server-1.7.9-1.mga2.i586.rpm
subversion-tools-1.7.9-1.mga2.i586.rpm
svn-javahl-1.7.9-1.mga2.i586.rpm
subversion-debug-1.7.9-1.mga2.i586.rpm

x86_64:
apache-mod_dav_svn-1.7.9-1.mga2.x86_64.rpm
lib64svn0-1.7.9-1.mga2.x86_64.rpm
lib64svn-gnome-keyring0-1.7.9-1.mga2.x86_64.rpm
lib64svnjavahl1-1.7.9-1.mga2.x86_64.rpm
lib64svn-kwallet0-1.7.9-1.mga2.x86_64.rpm
perl-SVN-1.7.9-1.mga2.x86_64.rpm
perl-svn-devel-1.7.9-1.mga2.x86_64.rpm
python-svn-1.7.9-1.mga2.x86_64.rpm
python-svn-devel-1.7.9-1.mga2.x86_64.rpm
ruby-svn-1.7.9-1.mga2.x86_64.rpm
ruby-svn-devel-1.7.9-1.mga2.x86_64.rpm
subversion-1.7.9-1.mga2.x86_64.rpm
subversion-devel-1.7.9-1.mga2.x86_64.rpm
subversion-doc-1.7.9-1.mga2.x86_64.rpm
subversion-gnome-keyring-devel-1.7.9-1.mga2.x86_64.rpm
subversion-kwallet-devel-1.7.9-1.mga2.x86_64.rpm
subversion-server-1.7.9-1.mga2.x86_64.rpm
subversion-tools-1.7.9-1.mga2.x86_64.rpm
svn-javahl-1.7.9-1.mga2.x86_64.rpm
subversion-debug-1.7.9-1.mga2.x86_64.rpm

SRPMS:
subversion-1.7.9-1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884
http://subversion.apache.org/security/CVE-2013-1845-advisory.txt
http://subversion.apache.org/security/CVE-2013-1846-advisory.txt
http://subversion.apache.org/security/CVE-2013-1847-advisory.txt
http://subversion.apache.org/security/CVE-2013-1849-advisory.txt
http://subversion.apache.org/security/CVE-2013-1884-advisory.txt
http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:153/
https://bugs.mageia.org/show_bug.cgi?id=9624