[SECURITY] [DLA 448-1] subversion security update

2016-05-0102:26:52

lists.debian.org

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

6.9 Medium

AI Score

Confidence

High

0.084 Low

EPSS

Percentile

94.5%

JSON

Package : subversion
Version : 1.6.17dfsg-4+deb7u11
CVE ID : CVE-2016-2167 CVE-2016-2168

CVE-2016-2167

svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.

CVE-2016-2168

Subversion&#x27;s httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module.  The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.

This allows remote attackers to cause a denial of service.

–
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <[email protected]>
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian8kfreebsd-i386libsvn-dev< 1.8.10-6+deb8u4libsvn-dev_1.8.10-6+deb8u4_kfreebsd-i386.deb
Debian7amd64libsvn-ruby1.8< 1.6.17dfsg-4+deb7u11libsvn-ruby1.8_1.6.17dfsg-4+deb7u11_amd64.deb
Debian7armellibsvn1< 1.6.17dfsg-4+deb7u11libsvn1_1.6.17dfsg-4+deb7u11_armel.deb
Debian8s390xlibsvn1< 1.8.10-6+deb8u4libsvn1_1.8.10-6+deb8u4_s390x.deb
Debian8powerpclibsvn-dev< 1.8.10-6+deb8u4libsvn-dev_1.8.10-6+deb8u4_powerpc.deb
Debian8kfreebsd-amd64libapache2-mod-svn< 1.8.10-6+deb8u4libapache2-mod-svn_1.8.10-6+deb8u4_kfreebsd-amd64.deb
Debian7i386subversion< 1.6.17dfsg-4+deb7u11subversion_1.6.17dfsg-4+deb7u11_i386.deb
Debian8armhflibsvn1< 1.8.10-6+deb8u4libsvn1_1.8.10-6+deb8u4_armhf.deb
Debian8ppc64ellibsvn-dev< 1.8.10-6+deb8u4libsvn-dev_1.8.10-6+deb8u4_ppc64el.deb
Debian8amd64libsvn-dev< 1.8.10-6+deb8u4libsvn-dev_1.8.10-6+deb8u4_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	kfreebsd-i386	libsvn-dev	< 1.8.10-6+deb8u4	libsvn-dev_1.8.10-6+deb8u4_kfreebsd-i386.deb
Debian	7	amd64	libsvn-ruby1.8	< 1.6.17dfsg-4+deb7u11	libsvn-ruby1.8_1.6.17dfsg-4+deb7u11_amd64.deb
Debian	7	armel	libsvn1	< 1.6.17dfsg-4+deb7u11	libsvn1_1.6.17dfsg-4+deb7u11_armel.deb
Debian	8	s390x	libsvn1	< 1.8.10-6+deb8u4	libsvn1_1.8.10-6+deb8u4_s390x.deb
Debian	8	powerpc	libsvn-dev	< 1.8.10-6+deb8u4	libsvn-dev_1.8.10-6+deb8u4_powerpc.deb
Debian	8	kfreebsd-amd64	libapache2-mod-svn	< 1.8.10-6+deb8u4	libapache2-mod-svn_1.8.10-6+deb8u4_kfreebsd-amd64.deb
Debian	7	i386	subversion	< 1.6.17dfsg-4+deb7u11	subversion_1.6.17dfsg-4+deb7u11_i386.deb
Debian	8	armhf	libsvn1	< 1.8.10-6+deb8u4	libsvn1_1.8.10-6+deb8u4_armhf.deb
Debian	8	ppc64el	libsvn-dev	< 1.8.10-6+deb8u4	libsvn-dev_1.8.10-6+deb8u4_ppc64el.deb
Debian	8	amd64	libsvn-dev	< 1.8.10-6+deb8u4	libsvn-dev_1.8.10-6+deb8u4_amd64.deb