Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0594
A number of vulnerabilities have been identified in subversion
2 June 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: subversion
Publisher: Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-1921 CVE-2011-1783 CVE-2011-1752
Original Bulletin:
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
Comment: This bulletin contains three (3) Apache Software Foundation security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Subversion HTTP servers up to 1.6.16 (inclusive) are vulnerable to a
remotely triggerable NULL-pointer dereference.
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module will dereference
a NULL pointer if asked to deliver baselined WebDAV resources.
This can lead to a DoS. An exploit has been tested, and tools or users
have been observed triggering this problem in the wild.
Known vulnerable:
=================
Subversion HTTPD servers <= 1.6.16
Known fixed:
============
Subversion 1.6.17
svnserve (any version) is not vulnerable
Details:
========
Subversion's mod_dav_svn module implements a subset of the WebDAV
and DeltaV protocols to support version control operations with
Subversion clients and, to a limited extent, certain other
WebDAV-aware client programs. The protocol dictates the existance
and use of so-colled "baselined resources" which do not directly
represent versioned files or directories, but instead represent
somewhat more abstract concepts. (See the specifications of those
protocols for details.) As a result, these baselined resources --
which are addressable using specifically formatted URLs -- are not
suitable for generic delivery in response to the common GET HTTP
request.
Because of this vulnerability, mod_dav_svn fails to notice that a
request submitted against the URL of a baselined resource should
simply return a graceful error and instead attempts to process the
request. This ultimately leads to a dereference of the pointer
associated with the resource's repository path, which is NULL
because the resource cannot be said to have such a path.
Severity:
=========
A remote attacker may be able to crash a Subversion server. Many Apache
servers will respawn the listener processes, but a determined attacker
will be able to crash these processes as they appear, denying service to
legitimate users.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.6.17. Users of
Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
References:
===========
CVE-2011-1752 (Subversion)
Reported by:
============
Joe Schaefer, Apache Software Foundation
- ------------------------------------------------------------------------------
Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) are vulnerable
to a remotely triggerable memory exhaustion DoS vulnerability.
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module may in certain
scenarios enter a logic loop which does not exit and which allocates
memory in each iteration, ultimately exhausting all the available
memory on the server.
This can lead to a DoS. There are no known instances of this
problem being observed in the wild, but an exploit has been tested.
Known vulnerable:
=================
Subversion HTTPD servers >= 1.5.0 and <= 1.6.16
Known fixed:
============
Subversion 1.6.17
svnserve (any version) is not vulnerable
Details:
========
Subversion Apache/mod_dav_svn servers may be configured to provide
path-based access control for files and directories stored in the
Subversion repository.
One such configuration -- identified by the use of the SVNPathAuthz
httpd.conf directive with a value of "short_circuit" -- instructs
mod_dav_svn to directly query the authorization logic in
libsvn_repos to answer access questions ("Does the user who is
requesting information from this server have permission to read
SOME-PATH in SOME-REVISION?") rather than employing Apache
subrequests to do the same. With such a configuration in place,
certain data sets and access rule combinations can trigger an
infinite loop of logic that also allocates memory upon each
iteration. Over time, all available system memory will be allocated
by the logic loop.
Severity:
=========
A remote attacker may be able to deny access to a Subversion server
by exhausting the available memory on the server.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.6.17. Users of
Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
References:
===========
CVE-2011-1783 (Subversion)
Reported by:
============
Ivan Zhakov, VisualSVN
- ------------------------------------------------------------------------------
Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) could leak the
contents of files configured to be unreadable.
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module may leak to
remote users the file contents of files configured to be unreadable
by those users.
There are no known instances of this problem being observed in the
wild, but an exploit has been tested.
Known vulnerable:
=================
Subversion HTTPD servers >= 1.5.0 and <= 1.6.16
Known fixed:
============
Subversion 1.6.17
svnserve (any version) is not vulnerable
Details:
========
Subversion Apache/mod_dav_svn servers may be configured to provide
path-based access control for files and directories stored in the
Subversion repository.
In the general case, mod_dav_svn asks access questions ("Does the
user who is requesting information from this server have permission
to read SOME-PATH in SOME-REVISION?") of Apache's authorization
subsystem using Apache's internal subrequest mechanism. Apache
partially handles these subrequests, returning either a successful
or an unsuccessful status code after its authorization subsystem has
determined whether read access to the requested resource URL has
been granted or denied, respectively.
In certain circumstances, mod_dav_svn improperly generates the
resource URLs that it uses in these subrequests, resulting in
Apache's authorization subsystem answering the access question for
the incorrect resource. Specifically, this leakage is limited to:
* files and directories which are themselves configured to be
unreadable, but
* which are children (immediate or otherwise) of a readable
directory which itself was copied or moved from an unreadable
path, and
* which were present in that directory at the time of its copy or
move.
* Finally, the attacker must be using mod_dav_svn's "replay"
REPORT mechanism to access the extended history of the
repository.
NOTE: This vulnerability is not triggerable if mod_dav_svn is
configured with the "SVNPathAuthz short_circuit" httpd.conf
directive. Unfortunately, an independent denial of service
vulnerability (CVE-2011-1783) prevents the use of this approach
as a suitable workaround.
Severity:
=========
File contents of privileged documents could be leaked in full to
users who shouldn't be permitted to see them.
NOTE: We believe this leak is limited to a specific revision of
those documents -- the revision in which their parent directory was
copied from an unreadable location -- but have not verified as much.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.6.17. Users of
Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
References:
===========
CVE-2011-1921 (Subversion)
Reported by:
============
Kamesh Jayachandran, CollabNet, Inc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFN5wmP/iFOrG6YcBERAtV4AKCCMCeMCwRrGtCr+NjwVyFqbVZQyQCfeLqD
hyeHdU0c8jyf1Udfz/AKy8I=
=jRQP
-----END PGP SIGNATURE-----