USN-1144-1: Subversion vulnerabilities

6 June 2011

subversion vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 11.04
  • Ubuntu 10.10
  • Ubuntu 10.04 LTS

Summary

An attacker could send crafted input to the Subversion mod_dav_svn module for Apache and cause it to crash or gain access to restricted files.

Software Description

  • subversion - Advanced version control system

Details

Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain baselined WebDAV resource requests. A remote attacker could use this flaw to cause the service to crash, leading to a denial of service. (CVE-2011-1752)

Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain requests. A remote attacker could use this flaw to cause the service to consume all available resources, leading to a denial of service. (CVE-2011-1783)

Kamesh Jayachandran discovered that the Subversion mod_dav_svn module for Apache did not properly handle access control in certain situations. A remote user could use this flaw to gain access to files that would otherwise be unreadable. (CVE-2011-1921)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.04
libapache2-svn - 1.6.12dfsg-4ubuntu2.1
Ubuntu 10.10
libapache2-svn - 1.6.12dfsg-1ubuntu1.3
Ubuntu 10.04 LTS
libapache2-svn - 1.6.6dfsg-2ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use Subversion, such as Apache when using mod_dav_svn, to make all the necessary changes.

References