Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2017:2200-1: important: Security update for subversion

Recommended Posts

SUSE Security Update: Security update for subversion

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2017:2200-1

Rating: important

References: #1011552 #1026936 #1051362 #897033 #909935

#911620 #916286 #923793 #923794 #923795 #939514

#939517 #942819 #958300 #969159 #976849 #976850

#977424 #983938

Cross-References: CVE-2014-3580 CVE-2014-8108 CVE-2015-0202

CVE-2015-0248 CVE-2015-0251 CVE-2015-3184

CVE-2015-3187 CVE-2015-5343 CVE-2016-2167

CVE-2016-2168 CVE-2016-8734 CVE-2017-9800

 

Affected Products:

SUSE Linux Enterprise Software Development Kit 12-SP3

SUSE Linux Enterprise Software Development Kit 12-SP2

______________________________________________________________________________

 

An update that solves 12 vulnerabilities and has 7 fixes is

now available.

 

Description:

 

This update for subversion fixes the following issues:

 

 

- CVE-2017-9800: A malicious, compromised server or MITM may cause svn

client to execute arbitrary commands by sending repository content with

svn:externals definitions pointing to crafted svn+ssh URLs. (bsc#1051362)

 

- Malicious user may commit SHA-1 collisions and cause repository

inconsistencies (bsc#1026936)

 

- CVE-2016-8734: Unrestricted XML entity expansion in mod_dontdothat and

Subversion clients using http(s):// could lead to denial of service

(bsc#1011552)

 

- CVE-2016-2167: svnserve/sasl may authenticate users using the wrong

realm (bsc#976849)

 

- CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn

during COPY/MOVE authorization check (bsc#976850)

 

- mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (bsc#977424)

 

- make the subversion package conflict with KWallet and Gnome Keyring

packages with do not require matching subversion versions in SLE 12 and

openSUSE Leap 42.1 and thus break the main package upon partial upgrade.

(bsc#969159)

 

- CVE-2015-5343: Remotely triggerable heap overflow and out-of-bounds read

in mod_dav_svn caused by integer overflow when parsing skel-encoded

request bodies. (bsc#958300)

 

- Avoid recommending 180+ new pkgs for installation on minimal setup due

subversion-password-store (bsc#942819)

 

- CVE-2015-3184: mod_authz_svn: mixed anonymous/authenticated httpd (dav)

configurations could lead to information leak (bsc#939514)

 

- CVE-2015-3187: do not leak paths that were hidden by path-based authz

(bsc#939517)

 

- CVE-2015-0202: Subversion HTTP servers with FSFS repositories were

vulnerable to a remotely triggerable excessive memory use with certain

REPORT requests. (bsc#923793)

 

- CVE-2015-0248: Subversion mod_dav_svn and svnserve were vulnerable to a

remotely triggerable assertion DoS vulnerability for certain requests

with dynamically evaluated revision numbers. (bsc#923794)

 

- CVE-2015-0251: Subversion HTTP servers allow spoofing svn:author

property values for new revisions (bsc#923795)

 

- fix sample configuration comments in subversion.conf (bsc#916286)

 

- fix sysconfig file generation (bsc#911620)

 

- CVE-2014-3580: mod_dav_svn invalid REPORT requests could lead to denial

of service (bsc#909935)

 

- CVE-2014-8108: mod_dav_svn use of invalid transaction names could lead

to denial of service (bsc#909935)

 

- INSTALL#SQLite says 'Subversion 1.8 requires SQLite version 3.7.12 or

above'; therefore I lowered the sqlite requirement to make the

subversion run on

older system versions, tooi. [bsc#897033]

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 12-SP3:

 

zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1340=1

 

- SUSE Linux Enterprise Software Development Kit 12-SP2:

 

zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1340=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

 

libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1

libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.19-25.3.1

subversion-1.8.19-25.3.1

subversion-debuginfo-1.8.19-25.3.1

subversion-debugsource-1.8.19-25.3.1

subversion-devel-1.8.19-25.3.1

subversion-perl-1.8.19-25.3.1

subversion-perl-debuginfo-1.8.19-25.3.1

subversion-python-1.8.19-25.3.1

subversion-python-debuginfo-1.8.19-25.3.1

subversion-server-1.8.19-25.3.1

subversion-server-debuginfo-1.8.19-25.3.1

subversion-tools-1.8.19-25.3.1

subversion-tools-debuginfo-1.8.19-25.3.1

 

- SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch):

 

subversion-bash-completion-1.8.19-25.3.1

 

- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

 

libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1

libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.19-25.3.1

subversion-1.8.19-25.3.1

subversion-debuginfo-1.8.19-25.3.1

subversion-debugsource-1.8.19-25.3.1

subversion-devel-1.8.19-25.3.1

subversion-perl-1.8.19-25.3.1

subversion-perl-debuginfo-1.8.19-25.3.1

subversion-python-1.8.19-25.3.1

subversion-python-debuginfo-1.8.19-25.3.1

subversion-server-1.8.19-25.3.1

subversion-server-debuginfo-1.8.19-25.3.1

subversion-tools-1.8.19-25.3.1

subversion-tools-debuginfo-1.8.19-25.3.1

 

- SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch):

 

subversion-bash-completion-1.8.19-25.3.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2014-3580.html

https://www.suse.com/security/cve/CVE-2014-8108.html

https://www.suse.com/security/cve/CVE-2015-0202.html

https://www.suse.com/security/cve/CVE-2015-0248.html

https://www.suse.com/security/cve/CVE-2015-0251.html

https://www.suse.com/security/cve/CVE-2015-3184.html

https://www.suse.com/security/cve/CVE-2015-3187.html

https://www.suse.com/security/cve/CVE-2015-5343.html

https://www.suse.com/security/cve/CVE-2016-2167.html

https://www.suse.com/security/cve/CVE-2016-2168.html

https://www.suse.com/security/cve/CVE-2016-8734.html

https://www.suse.com/security/cve/CVE-2017-9800.html

https://bugzilla.suse.com/1011552

https://bugzilla.suse.com/1026936

https://bugzilla.suse.com/1051362

https://bugzilla.suse.com/897033

https://bugzilla.suse.com/909935

https://bugzilla.suse.com/911620

https://bugzilla.suse.com/916286

https://bugzilla.suse.com/923793

https://bugzilla.suse.com/923794

https://bugzilla.suse.com/923795

https://bugzilla.suse.com/939514

https://bugzilla.suse.com/939517

https://bugzilla.suse.com/942819

https://bugzilla.suse.com/958300

https://bugzilla.suse.com/969159

https://bugzilla.suse.com/976849

https://bugzilla.suse.com/976850

https://bugzilla.suse.com/977424

https://bugzilla.suse.com/983938

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×