Author: troycurtisjr
Date: Wed Jan 23 03:06:39 2019
New Revision: 1851873
URL: http://svn.apache.org/viewvc?rev=1851873&view=rev
Log:
Add CVE-2018-11803 notices to the website.
* index.html, news.html
- Add security announcement.
- Include CVE link in 1.11.1 and 1.10.4 release announcements.
- Ensure anchor ids are unique.
* security/CVE-2018-11803-advisory.txt New file.
* security/CVE-2018-11803-advisory.txt.asc New file.
* security/index.html
Add links to CVE-2018-11803 advisory and signature.
Added:
subversion/site/publish/security/CVE-2018-11803-advisory.txt
subversion/site/publish/security/CVE-2018-11803-advisory.txt.asc
Modified:
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1851873&r1=1851872&r2=1851873&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Wed Jan 23 03:06:39 2019
@@ -64,6 +64,30 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
+<div class="h3" id="news-20190118">
+<h3>2019-01-18 — Apache Subversion Security Advisory
+<a class="sectionlink" href="#news-20190118"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>The recent releases of Apache Subversion, 1.10.4 and 1.11.1, contain a fix
+ for a moderate severity security issue <a
+ href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>. This issue
can
+ allow an unauthenticated user to crash the httpd process serving a Subversion
+ repository configured to allow anonymous read access. We encourage users of
+ Subversion to upgrade to the latest appropriate version as soon as reasonable.
+
+ Please see the <a
+ href="https://lists.apache.org/[email protected]";
+ >release announcement</a> and the <a href="/docs/release-notes/1.11"> 1.11
+ release notes</a> or <a href="/docs/release-notes/1.10">1.10 release
+ notes</a> for more information about the releases.</p>
+
+<p>To get the latest release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20190118 -->
+
<div class="h3" id="news-20190111">
<h3>2019-01-11 — Apache Subversion 1.11.1 Released
<a class="sectionlink" href="#news-20190111"
@@ -72,7 +96,10 @@
<p>We are pleased to announce the release of Apache Subversion 1.11.1.
This is the most complete Subversion release to date, and we encourage
- users of Subversion to upgrade as soon as reasonable.
+ users of Subversion to upgrade as soon as reasonable. In addition to the
+ normal collection of bug fixes, and stability enhancements, this release
+ also addresses a security-related issue:
+ <a href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>
Please see the
<a href="https://lists.apache.org/[email protected]";
>release announcement</a> and the
@@ -84,15 +111,18 @@
</div> <!-- #news-20190111 -->
-<div class="h3" id="news-20190111">
+<div class="h3" id="news-20190111-1">
<h3>2019-01-11 — Apache Subversion 1.10.4 Released
- <a class="sectionlink" href="#news-20190111"
+ <a class="sectionlink" href="#news-20190111-1"
title="Link to this section">¶</a>
</h3>
<p>We are pleased to announce the release of Apache Subversion 1.10.4.
- This is the most complete release of the 1.10.x line to date,
- and we encourage all users to upgrade as soon as reasonable.
+ This is the most complete release of the 1.10.x line to date, and we encourage
+ all users to upgrade as soon as reasonable. In addition to the normal
+ collection of bug fixes, and stability enhancements, this release also
+ addresses a security-related issue:
+ <a href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>.
Please see the
<a href="https://lists.apache.org/[email protected]";
>release announcement</a> and the
@@ -102,14 +132,14 @@
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#supported-releases">download page</a>.</p>
-</div> <!-- #news-20190111 -->
+</div> <!-- #news-20190111-1 -->
-<div class="h3" id="news-20190111">
+<div class="h3" id="news-20190111-2">
<h3>2019-01-11 — Apache Subversion 1.9.10 Released
- <a class="sectionlink" href="#news-20190111"
+ <a class="sectionlink" href="#news-20190111-2"
title="Link to this section">¶</a>
</h3>
-
+
<p>We are pleased to announce the release of Apache Subversion 1.9.10.
This is the most complete release of the 1.9.x line to date,
and we encourage all users to upgrade as soon as reasonable.
@@ -118,11 +148,11 @@
>release announcement</a> and the
<a href="/docs/release-notes/1.9"
>release notes</a> for more information about this release.</p>
-
+
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#supported-releases">download page</a>.</p>
-
-</div> <!-- #news-20190111 -->
+
+</div> <!-- #news-20190111-2 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL:
http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1851873&r1=1851872&r2=1851873&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Wed Jan 23 03:06:39 2019
@@ -21,6 +21,31 @@
<!-- facilitate copying news items wholesale from index.html. -->
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+
+<div class="h3" id="news-20190118">
+<h3>2019-01-18 — Apache Subversion Security Advisory
+<a class="sectionlink" href="#news-20190118"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>The recent releases of Apache Subversion, 1.10.4 and 1.11.1, contain a fix
+ for a moderate severity security issue <a
+ href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>. This issue
can
+ allow an unauthenticated user to crash the httpd process serving a Subversion
+ repository configured to allow anonymous read access. We encourage users of
+ Subversion to upgrade to the latest appropriate version as soon as reasonable.
+
+ Please see the <a
+ href="https://lists.apache.org/[email protected]";
+ >release announcement</a> and the <a href="/docs/release-notes/1.11"> 1.11
+ release notes</a> or <a href="/docs/release-notes/1.10">1.10 release
+ notes</a> for more information about the releases.</p>
+
+<p>To get the latest release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20190118 -->
+
<div class="h3" id="news-20190111">
<h3>2019-01-11 — Apache Subversion 1.11.1 Released
<a class="sectionlink" href="#news-20190111"
@@ -29,7 +54,10 @@
<p>We are pleased to announce the release of Apache Subversion 1.11.1.
This is the most complete Subversion release to date, and we encourage
- users of Subversion to upgrade as soon as reasonable.
+ users of Subversion to upgrade as soon as reasonable. In addition to the
+ normal collection of bug fixes, and stability enhancements, this release
+ also addresses a security-related issue:
+ <a href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>
Please see the
<a href="https://lists.apache.org/[email protected]";
>release announcement</a> and the
@@ -41,15 +69,18 @@
</div> <!-- #news-20190111 -->
-<div class="h3" id="news-20190111">
+<div class="h3" id="news-20190111-1">
<h3>2019-01-11 — Apache Subversion 1.10.4 Released
- <a class="sectionlink" href="#news-20190111"
+ <a class="sectionlink" href="#news-20190111-1"
title="Link to this section">¶</a>
</h3>
<p>We are pleased to announce the release of Apache Subversion 1.10.4.
- This is the most complete release of the 1.10.x line to date,
- and we encourage all users to upgrade as soon as reasonable.
+ This is the most complete release of the 1.10.x line to date, and we encourage
+ all users to upgrade as soon as reasonable. In addition to the normal
+ collection of bug fixes, and stability enhancements, this release also
+ addresses a security-related issue:
+ <a href="/security/CVE-2018-11803-advisory.txt">CVE-2018-11803</a>.
Please see the
<a href="https://lists.apache.org/[email protected]";
>release announcement</a> and the
@@ -59,11 +90,11 @@
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#supported-releases">download page</a>.</p>
-</div> <!-- #news-20190111 -->
+</div> <!-- #news-20190111-1 -->
-<div class="h3" id="news-20190111">
+<div class="h3" id="news-20190111-2">
<h3>2019-01-11 — Apache Subversion 1.9.10 Released
- <a class="sectionlink" href="#news-20190111"
+ <a class="sectionlink" href="#news-20190111-2"
title="Link to this section">¶</a>
</h3>
@@ -79,7 +110,7 @@
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#supported-releases">download page</a>.</p>
-</div> <!-- #news-20190111 -->
+</div> <!-- #news-20190111-2 -->
<div class="h3" id="news-20181030">
<h3>2018-10-30 — Apache Subversion 1.11.0 Released
Added: subversion/site/publish/security/CVE-2018-11803-advisory.txt
URL:
http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2018-11803-advisory.txt?rev=1851873&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2018-11803-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2018-11803-advisory.txt Wed Jan 23
03:06:39 2019
@@ -0,0 +1,117 @@
+ Malicious SVN clients can crash mod_dav_svn.
+
+Summary:
+========
+
+ Malicious SVN clients can trigger a crash in mod_dav_svn by omitting
+ the root path from a recursive directory listing request.
+
+Known vulnerable:
+=================
+
+ Subversion 1.10.0 up to, and including, 1.10.3.
+ Subversion 1.11.0.
+
+Known fixed:
+============
+
+ Subversion 1.10.4.
+ Subversion 1.11.1.
+
+Details:
+========
+
+ Subversion 1.10.0 introduced server-side support for recursive directory
+ listing operations. The implementation in mod_dav_svn failed to validate
+ the root path of the directory listing provided by the client. If the
+ client omits the root path, mod_dav_svn will deference an uninitialized
+ pointer variable and crash the HTTPD worker process handling the request.
+
+Severity:
+=========
+
+ CVSSv3 Base Score: 5.3 (Medium)
+ CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+
+ Subversion servers using the HTTP protocol and allow anonymous read access
+ are vulnerable to an unauthenticated denial of service attack.
+ If read access requires authentication, a denial of service attack can
+ only be performed by an authenticated user.
+
+Recommendations:
+================
+
+ We recommend that all users upgrade to Subversion 1.10.4 or 1.11.1.
+
+References:
+===========
+
+ CVE-2018-11803
+
+Reported by:
+============
+
+ Ivan Zhakov <[email protected]>
+
+Patches:
+========
+
+ Patch for Subversion 1.11.0:
+[[[
+Index: subversion/mod_dav_svn/reports/list.c
+===================================================================
+--- subversion/mod_dav_svn/reports/list.c (revision 1829240)
++++ subversion/mod_dav_svn/reports/list.c (working copy)
+@@ -201,7 +201,7 @@
+ dav_svn__authz_read_baton arb;
+ const dav_svn_repos *repos = resource->info->repos;
+ int ns;
+- const char *full_path;
++ const char *full_path = NULL;
+ svn_boolean_t path_info_only;
+ svn_fs_root_t *root;
+ svn_depth_t depth = svn_depth_unknown;
+@@ -280,6 +280,12 @@
+ /* else unknown element; skip it */
+ }
+
++ if (! full_path)
++ {
++ return dav_svn__new_error_svn(resource->pool, HTTP_BAD_REQUEST, 0, 0,
++ "Request was missing the path argument");
++ }
++
+ /* Build authz read baton */
+ arb.r = resource->info->r;
+ arb.repos = resource->info->repos;
+]]]
+
+ Patch for Subversion 1.10.3:
+[[[
+Index: subversion/mod_dav_svn/reports/list.c
+===================================================================
+--- subversion/mod_dav_svn/reports/list.c (revision 1829240)
++++ subversion/mod_dav_svn/reports/list.c (working copy)
+@@ -201,7 +201,7 @@
+ dav_svn__authz_read_baton arb;
+ const dav_svn_repos *repos = resource->info->repos;
+ int ns;
+- const char *full_path;
++ const char *full_path = NULL;
+ svn_boolean_t path_info_only;
+ svn_fs_root_t *root;
+ svn_depth_t depth = svn_depth_unknown;
+@@ -280,6 +280,12 @@
+ /* else unknown element; skip it */
+ }
+
++ if (! full_path)
++ {
++ return dav_svn__new_error_svn(resource->pool, HTTP_BAD_REQUEST, 0, 0,
++ "Request was missing the path argument");
++ }
++
+ /* Build authz read baton */
+ arb.r = resource->info->r;
+ arb.repos = resource->info->repos;
+]]]
Added: subversion/site/publish/security/CVE-2018-11803-advisory.txt.asc
URL:
http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2018-11803-advisory.txt.asc?rev=1851873&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2018-11803-advisory.txt.asc (added)
+++ subversion/site/publish/security/CVE-2018-11803-advisory.txt.asc Wed Jan 23
03:06:39 2019
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEFape0wgW04qdbSMVJHscJlp/h2AFAlxBSmQACgkQJHscJlp/
+h2AAiA/9FLy6dNs+LAiDigqNJKNSBlCOk1JwcnDnBcqgzXFmFI6tNQzILZhaC7D/
+iyVp+jkkJXgO2/6LpHyo2GMV0reh/DmY3Vjy0YQQ1/tVRTV77+/xpBzk51t+MQfd
+FDxnNPNKaKJfgAzZ/+7qN8fqu0vJvfmkICP0cWzmErYxzIblrUimK1z4f+7fJU3W
+5E/ozWlfFcojH07cAi87vuJF1HBgZ2xrEaz5ITeX2nxHjaP9ibpmcUXQicIpgHEW
+EOWJKFJLZz+WEgJNZ06m5VmBvra7GrijacCXpgVNkNBukSkqdXhVP8KKVnEzfIKO
+JYYrEiDJ/m/suE49vfwJfLLmKuLZ+Q0A5l/XVe4LFYDFQrPHsUf9h5UnXQCgfBK4
+cJigO/s4EiLrtRIFo7BRWaPkICDEAspVznyn/JnAdfN5pkLaIGjNoGr+fZSRd0iR
+Yf3ABMV3nxf7Qz5G0IIOfm3a725x1fWatuY7Xt/ZGhXAfpwI99TAvhgOI8P20ns7
+DTD/QeqCvGyaWIt67qEeBbFKUtdLNdWmnW1zXQozvml5twhgWCXkouLn821uh7wK
+51JJ84oy4BtKTzC+6eBXozZP7Xj8wXcBhE288NVAn8IHCfwSvqN65rd84JlgN/Cu
+dKyiXHv9mxF3/GOxt1isy0Gnpq1keFQHf0yAjV8N1Ebkl0pO/xI=
+=U8IG
+-----END PGP SIGNATURE-----
Modified: subversion/site/publish/security/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1851873&r1=1851872&r2=1851873&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Wed Jan 23 03:06:39 2019
@@ -283,6 +283,15 @@ clients using http(s)://</td>
svn:externals and svn:sync-from-url</td>
</tr>
+<tr>
+<td><a href="CVE-2018-11803-advisory.txt">CVE-2018-11803-advisory.txt</a>
+[<a href="CVE-2018-11803-advisory.txt.asc">PGP</a>]</td>
+<td>1.10.0-1.10.3 and 1.11.0</td>
+<td>Subversion's mod_dav_svn Apache HTTPD module will crash after dereferencing
+ an uninitialized pointer if the client omits the root path in a recursive
+ directory listing operation.</td>
+</tr>
+
</tbody>
</table>
