USN-1893-1: Subversion vulnerabilities

27 June 2013

subversion vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 13.04
  • Ubuntu 12.10
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Subversion.

Software Description

  • subversion - Advanced version control system

Details

Alexander Klink discovered that the Subversion mod_dav_svn module for Apache did not properly handle a large number of properties. A remote authenticated attacker could use this flaw to cause memory consumption, leading to a denial of service. (CVE-2013-1845)

Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote authenticated attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1846)

Philip Martin and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1847)

It was discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain PROPFIND requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1849)

Greg McMullin, Stefan Fuhrmann, Philip Martin, and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain log REPORT requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. This issue only affected Ubuntu 12.10 and Ubuntu 13.04. (CVE-2013-1884)

Stefan Sperling discovered that Subversion incorrectly handled newline characters in filenames. A remote authenticated attacker could use this flaw to corrupt FSFS repositories. (CVE-2013-1968)

Boris Lytochkin discovered that Subversion incorrectly handled TCP connections that were closed early. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-2112)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.04
libapache2-svn - 1.7.5-1ubuntu3.1
libsvn1 - 1.7.5-1ubuntu3.1
Ubuntu 12.10
libapache2-svn - 1.7.5-1ubuntu2.1
libsvn1 - 1.7.5-1ubuntu2.1
Ubuntu 12.04 LTS
libapache2-svn - 1.6.17dfsg-3ubuntu3.3
libsvn1 - 1.6.17dfsg-3ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References