BSA-004 Security Update for subversion

2010-10-1009:30:09

lists.debian.org

6 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

60.0%

JSON

Peter Samuelson uploaded new packages for subversion which fixed the
following security problems:

CVE-2010-3315
When "SVNPathAuthz short_circuit" is enabled, authz authentication in
the mod_dav_svn module for the Apache HTTP Server is flawed. Remote
authenticated users can bypass intended access restrictions via svn
commands.

https://vulners.com/cve/CVE-2010-3315

For the lenny-backports distribution, the problem has been fixed in
version 1.6.12dfsg-2~bpo50+1.

For the current testing (squeeze) and unstable (sid) distributions, the
problem has been fixed in version 1.6.12dfsg-2.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>

We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

Michael Diers, elego Software Solutions GmbH, http://www.elego.de

OSVersionArchitecturePackageVersionFilename
Debian999allsubversion< 1.6.12dfsg-2subversion_1.6.12dfsg-2_all.deb
Debian6kfreebsd-i386libsvn-perl< 1.6.12dfsg-2libsvn-perl_1.6.12dfsg-2_kfreebsd-i386.deb
Debian999mipsellibsvn-dev< 1.6.12dfsg-2libsvn-dev_1.6.12dfsg-2_mipsel.deb
Debian999sparclibsvn-perl< 1.6.12dfsg-2libsvn-perl_1.6.12dfsg-2_sparc.deb
Debian999sparcsubversion< 1.6.12dfsg-2subversion_1.6.12dfsg-2_sparc.deb
Debian6powerpcspelibsvn-ruby1.8< 1.6.12dfsg-2libsvn-ruby1.8_1.6.12dfsg-2_powerpcspe.deb
Debian6sparc64libapache2-svn< 1.6.12dfsg-2libapache2-svn_1.6.12dfsg-2_sparc64.deb
Debian999alphalibsvn-ruby1.8< 1.6.12dfsg-2libsvn-ruby1.8_1.6.12dfsg-2_alpha.deb
Debian6hppapython-subversion< 1.6.12dfsg-2python-subversion_1.6.12dfsg-2_hppa.deb
Debian999sparclibsvn-dev< 1.6.12dfsg-2libsvn-dev_1.6.12dfsg-2_sparc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	subversion	< 1.6.12dfsg-2	subversion_1.6.12dfsg-2_all.deb
Debian	6	kfreebsd-i386	libsvn-perl	< 1.6.12dfsg-2	libsvn-perl_1.6.12dfsg-2_kfreebsd-i386.deb
Debian	999	mipsel	libsvn-dev	< 1.6.12dfsg-2	libsvn-dev_1.6.12dfsg-2_mipsel.deb
Debian	999	sparc	libsvn-perl	< 1.6.12dfsg-2	libsvn-perl_1.6.12dfsg-2_sparc.deb
Debian	999	sparc	subversion	< 1.6.12dfsg-2	subversion_1.6.12dfsg-2_sparc.deb
Debian	6	powerpcspe	libsvn-ruby1.8	< 1.6.12dfsg-2	libsvn-ruby1.8_1.6.12dfsg-2_powerpcspe.deb
Debian	6	sparc64	libapache2-svn	< 1.6.12dfsg-2	libapache2-svn_1.6.12dfsg-2_sparc64.deb
Debian	999	alpha	libsvn-ruby1.8	< 1.6.12dfsg-2	libsvn-ruby1.8_1.6.12dfsg-2_alpha.deb
Debian	6	hppa	python-subversion	< 1.6.12dfsg-2	python-subversion_1.6.12dfsg-2_hppa.deb
Debian	999	sparc	libsvn-dev	< 1.6.12dfsg-2	libsvn-dev_1.6.12dfsg-2_sparc.deb