USN-3388-1: Subversion vulnerabilities

Discussion in 'Security' started by Ubuntu Security Notices, Aug 13, 2017.

  1. Ubuntu Security Notice USN-3388-1


    11th August, 2017

    subversion vulnerabilities


    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 17.04
    • Ubuntu 16.04 LTS
    • Ubuntu 14.04 LTS
    Summary


    Several security issues were fixed in Subversion.

    Software description

    • subversion - Advanced version control system
    Details


    Joern Schneeweisz discovered that Subversion did not properly handle
    host names in 'svn+ssh://' URLs. A remote attacker could use this
    to construct a subversion repository that when accessed could run
    arbitrary code with the privileges of the user. (CVE-2017-9800)

    Daniel Shahaf and James McCoy discovered that Subversion did not
    properly verify realms when using Cyrus SASL authentication. A
    remote attacker could use this to possibly bypass intended access
    restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu
    16.04 LTS. (CVE-2016-2167)

    Florian Weimer discovered that Subversion clients did not properly
    restrict XML entity expansion when accessing http(s):// URLs. A remote
    attacker could use this to cause a denial of service. This issue only
    affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8734)

    Update instructions


    The problem can be corrected by updating your system to the following package version:

    Ubuntu 17.04:
    subversion 1.9.5-1ubuntu1.1
    libsvn1 1.9.5-1ubuntu1.1
    Ubuntu 16.04 LTS:
    subversion 1.9.3-2ubuntu1.1
    libapache2-svn 1.9.3-2ubuntu1.1
    libapache2-mod-svn 1.9.3-2ubuntu1.1
    libsvn1 1.9.3-2ubuntu1.1
    Ubuntu 14.04 LTS:
    subversion 1.8.8-1ubuntu3.3
    libapache2-svn 1.8.8-1ubuntu3.3
    libapache2-mod-svn 1.8.8-1ubuntu3.3
    libsvn1 1.8.8-1ubuntu3.3

    To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary changes.

    References


    CVE-2016-2167, CVE-2016-8734, CVE-2017-9800

    Continue reading...
     

Share This Page