On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <vbruno...@gmail.com> wrote: > > Kindly help in resolving the below vulnerabilities > > On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vbruno...@gmail.com> wrote: >> >> Hi Team, >> >> Our security team has raised below vulnerabilities in SVN. >> >> 1. Concurrent login allowed in SVN console - same user can login to the >> console same time using two machines.
This is not a vulnerability. It's a feature. Sessions using SSH keys or credentials may be automated for continuous integration systems to simultaneously permit dozens or hundreds of simultaneous sessions. It's not a Subversion problem per se, it's built into the transport mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or the httpd daemon for mod_svn access. It's not built for single-threaded operation, though I suppose with httpd you could set it up that way. >> 2. >> Brute Force attack - user should be locked after 3 incorrect login attempts. That's a back end authentication, typically built into the Kerberos based authentication of tools like Active Directory or other LDAP and Kerberos systems, not a Subversion issue which httpd and svnserve and SSH access can use. I suggest that you find whoever is telling you to resolve these issues and enroll them in some courses on how password based authentication normally works. >> Kindly help us in resolving the above vulnerabilities. These are not Subversion issues. They are authentication back end issues, most of them easily configured for a desired policy. Who is calling these "vulnerabilities"? It's like saying that having a window that opens is a vulnerability, it's how the systems normally work. Nico Kadel-Garcia >> >> Regards, >> Micheal >> 8655557405
