Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0594 A number of vulnerabilities have been identified in subversion 2 June 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: subversion Publisher: Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-1921 CVE-2011-1783 CVE-2011-1752 Original Bulletin: http://subversion.apache.org/security/CVE-2011-1752-advisory.txt http://subversion.apache.org/security/CVE-2011-1783-advisory.txt http://subversion.apache.org/security/CVE-2011-1921-advisory.txt Comment: This bulletin contains three (3) Apache Software Foundation security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Subversion HTTP servers up to 1.6.16 (inclusive) are vulnerable to a remotely triggerable NULL-pointer dereference. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources. This can lead to a DoS. An exploit has been tested, and tools or users have been observed triggering this problem in the wild. Known vulnerable: ================= Subversion HTTPD servers <= 1.6.16 Known fixed: ============ Subversion 1.6.17 svnserve (any version) is not vulnerable Details: ======== Subversion's mod_dav_svn module implements a subset of the WebDAV and DeltaV protocols to support version control operations with Subversion clients and, to a limited extent, certain other WebDAV-aware client programs. The protocol dictates the existance and use of so-colled "baselined resources" which do not directly represent versioned files or directories, but instead represent somewhat more abstract concepts. (See the specifications of those protocols for details.) As a result, these baselined resources -- which are addressable using specifically formatted URLs -- are not suitable for generic delivery in response to the common GET HTTP request. Because of this vulnerability, mod_dav_svn fails to notice that a request submitted against the URL of a baselined resource should simply return a graceful error and instead attempts to process the request. This ultimately leads to a dereference of the pointer associated with the resource's repository path, which is NULL because the resource cannot be said to have such a path. Severity: ========= A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.17. Users of Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-1752 (Subversion) Reported by: ============ Joe Schaefer, Apache Software Foundation - ------------------------------------------------------------------------------ Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) are vulnerable to a remotely triggerable memory exhaustion DoS vulnerability. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server. This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers >= 1.5.0 and <= 1.6.16 Known fixed: ============ Subversion 1.6.17 svnserve (any version) is not vulnerable Details: ======== Subversion Apache/mod_dav_svn servers may be configured to provide path-based access control for files and directories stored in the Subversion repository. One such configuration -- identified by the use of the SVNPathAuthz httpd.conf directive with a value of "short_circuit" -- instructs mod_dav_svn to directly query the authorization logic in libsvn_repos to answer access questions ("Does the user who is requesting information from this server have permission to read SOME-PATH in SOME-REVISION?") rather than employing Apache subrequests to do the same. With such a configuration in place, certain data sets and access rule combinations can trigger an infinite loop of logic that also allocates memory upon each iteration. Over time, all available system memory will be allocated by the logic loop. Severity: ========= A remote attacker may be able to deny access to a Subversion server by exhausting the available memory on the server. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.17. Users of Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-1783 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN - ------------------------------------------------------------------------------ Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) could leak the contents of files configured to be unreadable. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers >= 1.5.0 and <= 1.6.16 Known fixed: ============ Subversion 1.6.17 svnserve (any version) is not vulnerable Details: ======== Subversion Apache/mod_dav_svn servers may be configured to provide path-based access control for files and directories stored in the Subversion repository. In the general case, mod_dav_svn asks access questions ("Does the user who is requesting information from this server have permission to read SOME-PATH in SOME-REVISION?") of Apache's authorization subsystem using Apache's internal subrequest mechanism. Apache partially handles these subrequests, returning either a successful or an unsuccessful status code after its authorization subsystem has determined whether read access to the requested resource URL has been granted or denied, respectively. In certain circumstances, mod_dav_svn improperly generates the resource URLs that it uses in these subrequests, resulting in Apache's authorization subsystem answering the access question for the incorrect resource. Specifically, this leakage is limited to: * files and directories which are themselves configured to be unreadable, but * which are children (immediate or otherwise) of a readable directory which itself was copied or moved from an unreadable path, and * which were present in that directory at the time of its copy or move. * Finally, the attacker must be using mod_dav_svn's "replay" REPORT mechanism to access the extended history of the repository. NOTE: This vulnerability is not triggerable if mod_dav_svn is configured with the "SVNPathAuthz short_circuit" httpd.conf directive. Unfortunately, an independent denial of service vulnerability (CVE-2011-1783) prevents the use of this approach as a suitable workaround. Severity: ========= File contents of privileged documents could be leaked in full to users who shouldn't be permitted to see them. NOTE: We believe this leak is limited to a specific revision of those documents -- the revision in which their parent directory was copied from an unreadable location -- but have not verified as much. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.17. Users of Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-1921 (Subversion) Reported by: ============ Kamesh Jayachandran, CollabNet, Inc. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFN5wmP/iFOrG6YcBERAtV4AKCCMCeMCwRrGtCr+NjwVyFqbVZQyQCfeLqD hyeHdU0c8jyf1Udfz/AKy8I= =jRQP -----END PGP SIGNATURE-----