Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201508-5 ======================================== Severity: Medium Date : 2015-08-14 CVE-ID : CVE-2015-3184 CVE-2015-3187 Package : subversion Type : authentication bypass Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package subversion before version 1.9.0-1 is vulnerable to authentication bypass. Resolution ========= Upgrade to 1.9.0-1. # pacman -Syu "subversion>=1.9.0-1" The problem has been fixed upstream in version 1.9.0, 1.8.14 and 1.7.21. Workaround ========= CVE-2015-3184 can be mitigated by disabling mixed anonymous/authenticated authz. There is no known workaround for CVE-2015-3187. Description ========== - CVE-2015-3184: Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. - CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz. When a node is copied from an unreadable location to a readable location the unreadable path may be revealed. This vulnerability only reveals the path, it does not reveal the contents of the path. Impact ===== A remote unauthenticated attacker may be able to access files that should be restricted to authenticated user. References ========= https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3184 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3187 https://subversion.apache.org/security/CVE-2015-3184-advisory.txt https://subversion.apache.org/security/CVE-2015-3187-advisory.txt