Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2015:0165-01] Moderate: subversion security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: subversion security update

Advisory ID: RHSA-2015:0165-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0165.html

Issue date: 2015-02-10

CVE Names: CVE-2014-3528 CVE-2014-3580

=====================================================================

 

1. Summary:

 

Updated subversion packages that fix two security issues are now available

for Red Hat Enterprise Linux 6.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64

 

3. Description:

 

Subversion (SVN) is a concurrent version control system which enables one

or more users to collaborate in developing and maintaining a hierarchy of

files and directories while keeping a history of all changes. The

mod_dav_svn module is used with the Apache HTTP Server to allow access

to Subversion repositories via HTTP.

 

A NULL pointer dereference flaw was found in the way the mod_dav_svn module

handled REPORT requests. A remote, unauthenticated attacker could use a

specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580)

 

It was discovered that Subversion clients retrieved cached authentication

credentials using the MD5 hash of the server realm string without also

checking the server's URL. A malicious server able to provide a realm that

triggers an MD5 collision could possibly use this flaw to obtain the

credentials for a different realm. (CVE-2014-3528)

 

Red Hat would like to thank the Subversion project for reporting

CVE-2014-3580. Upstream acknowledges Evgeny Kotkov of VisualSVN as the

original reporter.

 

All subversion users should upgrade to these updated packages, which

contain backported patches to correct these issues. After installing the

updated packages, for the update to take effect, you must restart the httpd

daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are

serving Subversion repositories via the svn:// protocol.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to use the

Red Hat Network to apply this update are available at

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1125799 - CVE-2014-3528 subversion: credentials leak via MD5 collision

1174054 - CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests

 

6. Package List:

 

Red Hat Enterprise Linux Desktop Optional (v. 6):

 

Source:

subversion-1.6.11-12.el6_6.src.rpm

 

i386:

mod_dav_svn-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

 

noarch:

subversion-svn2cl-1.6.11-12.el6_6.noarch.rpm

 

x86_64:

mod_dav_svn-1.6.11-12.el6_6.x86_64.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.x86_64.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.x86_64.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.x86_64.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.x86_64.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.x86_64.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.x86_64.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node Optional (v. 6):

 

Source:

subversion-1.6.11-12.el6_6.src.rpm

 

noarch:

subversion-svn2cl-1.6.11-12.el6_6.noarch.rpm

 

x86_64:

mod_dav_svn-1.6.11-12.el6_6.x86_64.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.x86_64.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.x86_64.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.x86_64.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.x86_64.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.x86_64.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.x86_64.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 6):

 

Source:

subversion-1.6.11-12.el6_6.src.rpm

 

i386:

mod_dav_svn-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

 

ppc64:

mod_dav_svn-1.6.11-12.el6_6.ppc64.rpm

subversion-1.6.11-12.el6_6.ppc.rpm

subversion-1.6.11-12.el6_6.ppc64.rpm

subversion-debuginfo-1.6.11-12.el6_6.ppc.rpm

subversion-debuginfo-1.6.11-12.el6_6.ppc64.rpm

 

s390x:

mod_dav_svn-1.6.11-12.el6_6.s390x.rpm

subversion-1.6.11-12.el6_6.s390.rpm

subversion-1.6.11-12.el6_6.s390x.rpm

subversion-debuginfo-1.6.11-12.el6_6.s390.rpm

subversion-debuginfo-1.6.11-12.el6_6.s390x.rpm

 

x86_64:

mod_dav_svn-1.6.11-12.el6_6.x86_64.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.x86_64.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

i386:

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

 

noarch:

subversion-svn2cl-1.6.11-12.el6_6.noarch.rpm

 

ppc64:

subversion-debuginfo-1.6.11-12.el6_6.ppc.rpm

subversion-debuginfo-1.6.11-12.el6_6.ppc64.rpm

subversion-devel-1.6.11-12.el6_6.ppc.rpm

subversion-devel-1.6.11-12.el6_6.ppc64.rpm

subversion-gnome-1.6.11-12.el6_6.ppc.rpm

subversion-gnome-1.6.11-12.el6_6.ppc64.rpm

subversion-javahl-1.6.11-12.el6_6.ppc.rpm

subversion-javahl-1.6.11-12.el6_6.ppc64.rpm

subversion-kde-1.6.11-12.el6_6.ppc.rpm

subversion-kde-1.6.11-12.el6_6.ppc64.rpm

subversion-perl-1.6.11-12.el6_6.ppc.rpm

subversion-perl-1.6.11-12.el6_6.ppc64.rpm

subversion-ruby-1.6.11-12.el6_6.ppc.rpm

subversion-ruby-1.6.11-12.el6_6.ppc64.rpm

 

s390x:

subversion-debuginfo-1.6.11-12.el6_6.s390.rpm

subversion-debuginfo-1.6.11-12.el6_6.s390x.rpm

subversion-devel-1.6.11-12.el6_6.s390.rpm

subversion-devel-1.6.11-12.el6_6.s390x.rpm

subversion-gnome-1.6.11-12.el6_6.s390.rpm

subversion-gnome-1.6.11-12.el6_6.s390x.rpm

subversion-javahl-1.6.11-12.el6_6.s390.rpm

subversion-javahl-1.6.11-12.el6_6.s390x.rpm

subversion-kde-1.6.11-12.el6_6.s390.rpm

subversion-kde-1.6.11-12.el6_6.s390x.rpm

subversion-perl-1.6.11-12.el6_6.s390.rpm

subversion-perl-1.6.11-12.el6_6.s390x.rpm

subversion-ruby-1.6.11-12.el6_6.s390.rpm

subversion-ruby-1.6.11-12.el6_6.s390x.rpm

 

x86_64:

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.x86_64.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.x86_64.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.x86_64.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.x86_64.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

subversion-1.6.11-12.el6_6.src.rpm

 

i386:

mod_dav_svn-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

 

x86_64:

mod_dav_svn-1.6.11-12.el6_6.x86_64.rpm

subversion-1.6.11-12.el6_6.i686.rpm

subversion-1.6.11-12.el6_6.x86_64.rpm

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-javahl-1.6.11-12.el6_6.i686.rpm

subversion-javahl-1.6.11-12.el6_6.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 6):

 

i386:

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

 

noarch:

subversion-svn2cl-1.6.11-12.el6_6.noarch.rpm

 

x86_64:

subversion-debuginfo-1.6.11-12.el6_6.i686.rpm

subversion-debuginfo-1.6.11-12.el6_6.x86_64.rpm

subversion-devel-1.6.11-12.el6_6.i686.rpm

subversion-devel-1.6.11-12.el6_6.x86_64.rpm

subversion-gnome-1.6.11-12.el6_6.i686.rpm

subversion-gnome-1.6.11-12.el6_6.x86_64.rpm

subversion-kde-1.6.11-12.el6_6.i686.rpm

subversion-kde-1.6.11-12.el6_6.x86_64.rpm

subversion-perl-1.6.11-12.el6_6.i686.rpm

subversion-perl-1.6.11-12.el6_6.x86_64.rpm

subversion-ruby-1.6.11-12.el6_6.i686.rpm

subversion-ruby-1.6.11-12.el6_6.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2014-3528

https://access.redhat.com/security/cve/CVE-2014-3580

https://access.redhat.com/security/updates/classification/#moderate

https://subversion.apache.org/security/CVE-2014-3528-advisory.txt

https://subversion.apache.org/security/CVE-2014-3580-advisory.txt

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFU2oepXlSAg2UNWIIRAkgGAJsHdWW0fE4wlDDhR8BBHpWBJWYymgCgs6j4

+Y5xq46GRtewPHR+DBWGBxc=

=8ATU

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×