Security update for subversion SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0672-1 Final 1 1 2015-03-31T15:05:41Z current 2015-03-31T15:05:41Z 2015-03-31T15:05:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for subversion Apache Subversion was updated to 1.8.13 to fix three vulnerabilities and a number of non-security bugs. This release fixes three vulnerabilities: * Subversion HTTP servers with FSFS repositories were vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. (bsc#923793 CVE-2015-0202) * Subversion mod_dav_svn and svnserve were vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. (bsc#923794 CVE-2015-0248) * Subversion HTTP servers allow spoofing svn:author property values for new revisions (bsc#923795 CVE-2015-0251) Non-security fixes: * fixes number of client and server side non-security bugs * improved working copy performance * reduction of resource use * stability improvements * usability improvements * fix sample configuration comments in subversion.conf [boo#916286] * fix bashisms in mailer-init.sh script The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html E-Mail link for openSUSE-SU-2015:0672-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings libsvn_auth_gnome_keyring-1-0-1.8.13-2.36.1 libsvn_auth_kwallet-1-0-1.8.13-2.36.1 subversion-1.8.13-2.36.1 subversion-bash-completion-1.8.13-2.36.1 subversion-devel-1.8.13-2.36.1 subversion-perl-1.8.13-2.36.1 subversion-python-1.8.13-2.36.1 subversion-ruby-1.8.13-2.36.1 subversion-server-1.8.13-2.36.1 subversion-tools-1.8.13-2.36.1 The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. CVE-2015-0202 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html https://www.suse.com/security/cve/CVE-2015-0202.html CVE-2015-0202 https://bugzilla.suse.com/923793 SUSE Bug 923793 The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. CVE-2015-0248 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html https://www.suse.com/security/cve/CVE-2015-0248.html CVE-2015-0248 https://bugzilla.suse.com/923794 SUSE Bug 923794 The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. CVE-2015-0251 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html https://www.suse.com/security/cve/CVE-2015-0251.html CVE-2015-0251 https://bugzilla.suse.com/923795 SUSE Bug 923795