Re: CVE-2007-3846 Vunerability
Good day Daniel. Thank you for the prompt response. As in the other one, I could not find the resolution. But, this is exactly what we need to counter the opposition. Yes, this was a pasting error. CA On Wednesday, March 22, 2023 at 11:48:08 AM UTC-4 Daniel Sahlberg wrote: > onsdag 22 mars 2023 kl. 15:53:09 UTC+1 skrev F Technologies: > > Good day all. > > My organization is trying to use TortoiseSVN as a version control client. > In researching, from the user group, it looks as though this may not be > accepted as a vulnerability by TortoiseSVN. > > The concern is that a macro can be executed which might harm a network. It > appears that there are a number of steps to get there. > > 1. Can someone please advise if this was addressed? > > 2. If addressed, where might I find documentation on the resolution? > > 3. If not are there plans to? > > 4. If no plans requesting explanation why so I can present to organization. > > I am hoping to obtain answer by end of day Thursday as I have a meeting to > rebut objections. > > Thanks. > > https://www.cvedetails.com/cve/CVE-2019-14422/ > > > In the title you mention CVE-2007-3846 but the link is something else. I > assume this is a case of copy-paste error and assume it is CVE-2007-3846 > you refer to. > > Please see the Apache Subversion advisory: > https://subversion.apache.org/security/CVE-2007-3846-advisory.txt > > The version numbers for TortoiseSVN and Apache Subversion are in general > the same. Exceptions exist, for example within the 1.14 line, TortoiseSVN > in general have a higher version number than the Apache Subversion library > version. > > Thus I'm sure TortoiseSVN version 1.14.5 are not affected by CVE-2007-3846. > > Kind regards > Daniel > > -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/993a34c5-82ad-4315-a8d1-8993f1036debn%40googlegroups.com.
Re: CVE-2019-14422 Vulnerability
Daniel. Thank you for the quick response. This definitely helps us to counter the opposition. The objection was a reaction to the CVE being there. The team asking for the software figured there was a fix as it was reported version 1.12. CA On Wednesday, March 22, 2023 at 12:10:20 PM UTC-4 Daniel Sahlberg wrote: > onsdag 22 mars 2023 kl. 15:53:04 UTC+1 skrev F Technologies: > > Good day all. > > My organization is trying to use TortoiseSVN as a version control client. > In researching, from the user group, it looks as though this may not be > accepted as a vulnerability by TortoiseSVN. > > The concern is that a macro can be executed which might harm a network. It > appears that there are a number of steps to get there. > > 1. Can someone please advise if this was addressed? > > 2. If addressed, where might I find documentation on the resolution? > > 3. If not are there plans to? > > 4. If no plans requesting explanation why so I can present to organization. > > I am hoping to obtain answer by end of day Thursday as I have a meeting to > rebut objections. > > Thanks. > > https://www.cvedetails.com/cve/CVE-2019-14422/ > > > Please check r28647 of the diff script at > https://svn.osdn.net/svnroot/tortoisesvn/trunk/contrib/diff-scripts/, it > adds a protection layer by disabling macros: > > // disable all macros > objExcelApp.AutomationSecurity = 3; //msoAutomationSecurityForceDisable > > Based on the date it seems to be in reaction to the CVE. It should have > been included in the 1.13 release, it certainly is included as installed in > 1.14.5. > > Kind regards, > Daniel > > -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/fe8a5dc0-9684-41ad-874d-a37f8d8401b5n%40googlegroups.com.
Re: CVE-2019-14422 Vulnerability
onsdag 22 mars 2023 kl. 15:53:04 UTC+1 skrev F Technologies: Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. I am hoping to obtain answer by end of day Thursday as I have a meeting to rebut objections. Thanks. https://www.cvedetails.com/cve/CVE-2019-14422/ Please check r28647 of the diff script at https://svn.osdn.net/svnroot/tortoisesvn/trunk/contrib/diff-scripts/, it adds a protection layer by disabling macros: // disable all macros objExcelApp.AutomationSecurity = 3; //msoAutomationSecurityForceDisable Based on the date it seems to be in reaction to the CVE. It should have been included in the 1.13 release, it certainly is included as installed in 1.14.5. Kind regards, Daniel -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/55f3c4f1-4ef4-4841-82e5-ebc33ee9c599n%40googlegroups.com.
Re: CVE-2007-3846 Vunerability
onsdag 22 mars 2023 kl. 15:53:09 UTC+1 skrev F Technologies: Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. I am hoping to obtain answer by end of day Thursday as I have a meeting to rebut objections. Thanks. https://www.cvedetails.com/cve/CVE-2019-14422/ In the title you mention CVE-2007-3846 but the link is something else. I assume this is a case of copy-paste error and assume it is CVE-2007-3846 you refer to. Please see the Apache Subversion advisory: https://subversion.apache.org/security/CVE-2007-3846-advisory.txt The version numbers for TortoiseSVN and Apache Subversion are in general the same. Exceptions exist, for example within the 1.14 line, TortoiseSVN in general have a higher version number than the Apache Subversion library version. Thus I'm sure TortoiseSVN version 1.14.5 are not affected by CVE-2007-3846. Kind regards Daniel -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/601a953a-5a53-40ff-8fff-b6faea1ac731n%40googlegroups.com.
CVE-2007-3846 Vunerability
Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. I am hoping to obtain answer by end of day Thursday as I have a meeting to rebut objections. Thanks. https://www.cvedetails.com/cve/CVE-2019-14422/ -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/5799fc48-7aca-4add-816f-3a7288d8433an%40googlegroups.com.
CVE-2019-14422 Vulnerability
Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. I am hoping to obtain answer by end of day Thursday as I have a meeting to rebut objections. Thanks. https://www.cvedetails.com/cve/CVE-2019-14422/ -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/b3485ad6-9ed8-4d14-aa99-b953df012103n%40googlegroups.com.
CVE-2007-3846 Vunerability
Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. Thanks. https://www.cvedetails.com/cve/CVE-2007-3846/ -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/c6800df0-7ba0-4df9-9ee1-a67fb4918b08n%40googlegroups.com.
CVE-2019-14422 Vunerability
Good day all. My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN. The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there. 1. Can someone please advise if this was addressed? 2. If addressed, where might I find documentation on the resolution? 3. If not are there plans to? 4. If no plans requesting explanation why so I can present to organization. Thanks. https://www.cvedetails.com/cve/CVE-2019-14422/ -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/153df77a-7eff-4ff6-9aeb-cbb9e62a885fn%40googlegroups.com.