security: CVE-2011-1752-advisory.txt CVE-2011-1783-advisory.txt CVE-2011-1921-advisory.txt index.html

hwright Wed, 01 Jun 2011 13:05:56 -0700

Author: hwright
Date: Wed Jun  1 20:05:22 2011
New Revision: 1130281

URL: http://svn.apache.org/viewvc?rev=1130281&view=rev
Log:
Publish the advisories for CVE-2011-1921, CVE-2011-1752, CVE-2011-1783.


* publish/security/CVE-2011-1921-advisory.txt
  publish/security/CVE-2011-1752-advisory.txt
  publish/security/CVE-2011-1783-advisory.txt:
    New.

* publish/security/index.html:
    List the new CVEs.

Added:
    subversion/site/publish/security/CVE-2011-1752-advisory.txt   (with props)
    subversion/site/publish/security/CVE-2011-1783-advisory.txt   (with props)
    subversion/site/publish/security/CVE-2011-1921-advisory.txt   (with props)
Modified:
    subversion/site/publish/security/index.html

Added: subversion/site/publish/security/CVE-2011-1752-advisory.txt
URL: 
http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2011-1752-advisory.txt?rev=1130281&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2011-1752-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2011-1752-advisory.txt Wed Jun  1 
20:05:22 2011
@@ -0,0 +1,72 @@
+  Subversion HTTP servers up to 1.6.16 (inclusive) are vulnerable to a
+  remotely triggerable NULL-pointer dereference.
+
+Summary:
+========
+
+  Subversion's mod_dav_svn Apache HTTPD server module will dereference
+  a NULL pointer if asked to deliver baselined WebDAV resources.
+
+  This can lead to a DoS.  An exploit has been tested, and tools or users
+  have been observed triggering this problem in the wild.
+
+Known vulnerable:
+=================
+
+  Subversion HTTPD servers <= 1.6.16
+
+Known fixed:
+============
+
+  Subversion 1.6.17
+  svnserve (any version) is not vulnerable
+
+Details:
+========
+
+  Subversion's mod_dav_svn module implements a subset of the WebDAV
+  and DeltaV protocols to support version control operations with
+  Subversion clients and, to a limited extent, certain other
+  WebDAV-aware client programs.  The protocol dictates the existance
+  and use of so-colled "baselined resources" which do not directly
+  represent versioned files or directories, but instead represent
+  somewhat more abstract concepts.  (See the specifications of those
+  protocols for details.)  As a result, these baselined resources --
+  which are addressable using specifically formatted URLs -- are not
+  suitable for generic delivery in response to the common GET HTTP
+  request.
+
+  Because of this vulnerability, mod_dav_svn fails to notice that a
+  request submitted against the URL of a baselined resource should
+  simply return a graceful error and instead attempts to process the
+  request.  This ultimately leads to a dereference of the pointer
+  associated with the resource's repository path, which is NULL
+  because the resource cannot be said to have such a path.
+
+Severity:
+=========
+
+  A remote attacker may be able to crash a Subversion server.  Many Apache
+  servers will respawn the listener processes, but a determined attacker
+  will be able to crash these processes as they appear, denying service to
+  legitimate users.
+
+Recommendations:
+================
+
+  We recommend all users to upgrade to Subversion 1.6.17.  Users of
+  Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
+  included patch.
+  
+  New Subversion packages can be found at:
+  http://subversion.apache.org/packages.html
+
+References:
+===========
+
+  CVE-2011-1752  (Subversion)
+
+Reported by:
+============
+
+  Joe Schaefer, Apache Software Foundation

Propchange: subversion/site/publish/security/CVE-2011-1752-advisory.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Added: subversion/site/publish/security/CVE-2011-1783-advisory.txt
URL: 
http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2011-1783-advisory.txt?rev=1130281&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2011-1783-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2011-1783-advisory.txt Wed Jun  1 
20:05:22 2011
@@ -0,0 +1,69 @@
+  Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) are vulnerable
+  to a remotely triggerable memory exhaustion DoS vulnerability.
+
+Summary:
+========
+
+  Subversion's mod_dav_svn Apache HTTPD server module may in certain
+  scenarios enter a logic loop which does not exit and which allocates
+  memory in each iteration, ultimately exhausting all the available
+  memory on the server.
+
+  This can lead to a DoS.  There are no known instances of this
+  problem being observed in the wild, but an exploit has been tested.
+
+Known vulnerable:
+=================
+
+  Subversion HTTPD servers >= 1.5.0 and <= 1.6.16
+
+Known fixed:
+============
+
+  Subversion 1.6.17
+  svnserve (any version) is not vulnerable
+
+Details:
+========
+
+  Subversion Apache/mod_dav_svn servers may be configured to provide
+  path-based access control for files and directories stored in the
+  Subversion repository.
+
+  One such configuration -- identified by the use of the SVNPathAuthz
+  httpd.conf directive with a value of "short_circuit" -- instructs
+  mod_dav_svn to directly query the authorization logic in
+  libsvn_repos to answer access questions ("Does the user who is
+  requesting information from this server have permission to read
+  SOME-PATH in SOME-REVISION?") rather than employing Apache
+  subrequests to do the same.  With such a configuration in place,
+  certain data sets and access rule combinations can trigger an
+  infinite loop of logic that also allocates memory upon each
+  iteration.  Over time, all available system memory will be allocated
+  by the logic loop.
+
+Severity:
+=========
+
+  A remote attacker may be able to deny access to a Subversion server
+  by exhausting the available memory on the server.
+
+Recommendations:
+================
+
+  We recommend all users to upgrade to Subversion 1.6.17.  Users of
+  Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
+  included patch.
+  
+  New Subversion packages can be found at:
+  http://subversion.apache.org/packages.html
+
+References:
+===========
+
+  CVE-2011-1783  (Subversion)
+
+Reported by:
+============
+
+  Ivan Zhakov, VisualSVN

Propchange: subversion/site/publish/security/CVE-2011-1783-advisory.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Added: subversion/site/publish/security/CVE-2011-1921-advisory.txt
URL: 
http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2011-1921-advisory.txt?rev=1130281&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2011-1921-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2011-1921-advisory.txt Wed Jun  1 
20:05:22 2011
@@ -0,0 +1,94 @@
+  Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) could leak the
+  contents of files configured to be unreadable.
+
+Summary:
+========
+
+  Subversion's mod_dav_svn Apache HTTPD server module may leak to
+  remote users the file contents of files configured to be unreadable
+  by those users.
+
+  There are no known instances of this problem being observed in the
+  wild, but an exploit has been tested.
+
+Known vulnerable:
+=================
+
+  Subversion HTTPD servers >= 1.5.0 and <= 1.6.16
+
+Known fixed:
+============
+
+  Subversion 1.6.17
+  svnserve (any version) is not vulnerable
+
+Details:
+========
+
+  Subversion Apache/mod_dav_svn servers may be configured to provide
+  path-based access control for files and directories stored in the
+  Subversion repository.
+
+  In the general case, mod_dav_svn asks access questions ("Does the
+  user who is requesting information from this server have permission
+  to read SOME-PATH in SOME-REVISION?") of Apache's authorization
+  subsystem using Apache's internal subrequest mechanism.  Apache
+  partially handles these subrequests, returning either a successful
+  or an unsuccessful status code after its authorization subsystem has
+  determined whether read access to the requested resource URL has
+  been granted or denied, respectively.
+
+  In certain circumstances, mod_dav_svn improperly generates the
+  resource URLs that it uses in these subrequests, resulting in
+  Apache's authorization subsystem answering the access question for
+  the incorrect resource.  Specifically, this leakage is limited to:
+  
+    * files and directories which are themselves configured to be
+      unreadable, but 
+
+    * which are children (immediate or otherwise) of a readable
+      directory which itself was copied or moved from an unreadable
+      path, and
+
+    * which were present in that directory at the time of its copy or
+      move.
+
+    * Finally, the attacker must be using mod_dav_svn's "replay"
+      REPORT mechanism to access the extended history of the
+      repository.
+
+  NOTE: This vulnerability is not triggerable if mod_dav_svn is
+  configured with the "SVNPathAuthz short_circuit" httpd.conf
+  directive.  Unfortunately, an independent denial of service
+  vulnerability (CVE-2011-1783) prevents the use of this approach
+  as a suitable workaround.
+
+Severity:
+=========
+
+  File contents of privileged documents could be leaked in full to
+  users who shouldn't be permitted to see them.
+
+  NOTE:  We believe this leak is limited to a specific revision of
+  those documents -- the revision in which their parent directory was
+  copied from an unreadable location -- but have not verified as much.
+
+Recommendations:
+================
+
+  We recommend all users to upgrade to Subversion 1.6.17.  Users of
+  Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the
+  included patch.
+  
+  New Subversion packages can be found at:
+  http://subversion.apache.org/packages.html
+
+References:
+===========
+
+  CVE-2011-1921  (Subversion)
+
+Reported by:
+============
+
+  Kamesh Jayachandran, CollabNet, Inc.

Propchange: subversion/site/publish/security/CVE-2011-1921-advisory.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: subversion/site/publish/security/index.html
URL: 
http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1130281&r1=1130280&r2=1130281&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Wed Jun  1 20:05:22 2011
@@ -115,6 +115,21 @@ Subversion project.</p>
 <td>1.2.0-1.5.9, 1.6.0-1.6.15</td>
 <td>Server NULL-pointer dereference</td>
 </tr>
+<tr>
+<td><a href="CVE-2011-1752-advisory.txt">CVE-2011-1752-advisory.txt</a></td>
+<td>1.0.0-1.6.16</td>
+<td>Server NULL-pointer dereference</td>
+</tr>
+<tr>
+<td><a href="CVE-2011-1783-advisory.txt">CVE-2011-1783-advisory.txt</a></td>
+<td>1.5.0-1.6.15</td>
+<td>Server memory exhaustion</td>
+</tr>
+<tr>
+<td><a href="CVE-2011-1921-advisory.txt">CVE-2011-1921-advisory.txt</a></td>
+<td>1.5.0-1.6.16</td>
+<td>mod_dav_svn exposure of unreadable paths</td>
+</tr>
 </tbody>
 </table>

svn commit: r1130281 - in /subversion/site/publish/security: CVE-2011-1752-advisory.txt CVE-2011-1783-advisory.txt CVE-2011-1921-advisory.txt index.html

Reply via email to