Package: subversion Version: 1.14.2-3+b1 Severity: critical Tags: security upstream Justification: causes serious data loss X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Forwarded: https://lists.apache.org/thread/54hk6wbqsjnyl3h6p88tno2gpmgr4otd
(The "critical" severity is in part because the data loss was triggered by a remote attack, though the data loss may occur with any kind of network failure.) I wanted to edit a log message with svn pe --revprop svn:log -r 151946 (not just a minor change, I was replacing text by a much longer text), but got an immediate error from SSH after quitting the editor: kex_exchange_identification: read: Connection reset by peer Connection reset by 155.133.131.76 port 22 svn: E170013: Unable to connect to a repository at URL 'svn+ssh://mysvn' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly Subversion apparently does not keep a copy of the text (contrary to the case of a commit, which leaves a svn-commit.tmp file), so the whole new text was lost!!! I noticed a bit later that the cause of the failure was a remote attack from a single IP, which lead to "beginning MaxStartups throttling" by sshd. There is protection by fail2ban on my server, but it takes a few seconds to react. This is quite a short time, but this was sufficient to make a SSH failure on my side and lose data. (There are a bit more details in my upstream bug report, see Forwarded.) -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 5.19.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages subversion depends on: ii libapr1 1.7.0-8 ii libaprutil1 1.6.1-5+b2 ii libc6 2.34-8 ii libsvn1 1.14.2-3+b1 subversion recommends no packages. Versions of packages subversion suggests: pn db5.3-util <none> pn libapache2-mod-svn <none> ii patch 2.7.6-7 ii subversion-tools 1.14.2-3+b1 -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
