Debian: DSA-2118-1: New subversion packages fix authentication bypass

    Date 08 Oct 2010
    93
    Posted By LinuxSecurity Advisories
    Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn module of subversion, a version control system, is not properly enforcing access rules which are scope-limited to named repositories. If the SVNPathAuthz option is set to "short_circuit" set this may enable an
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ---------------------------------------------------------------------------
    Debian Security Advisory DSA-2118-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                                  Nico Golde
    October 8th, 2010                        https://www.debian.org/security/faq
    - ---------------------------------------------------------------------------
    
    Package        : subversion
    Vulnerability  : logic flaw
    Problem type   : remote
    Debian-specific: no
    Debian bug     : none
    CVE ID         : CVE-2010-3315
    
    Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn
    module of subversion, a version control system, is not properly enforcing
    access rules which are scope-limited to named repositories.  If the
    SVNPathAuthz option is set to "short_circuit" set this may enable an
    unprivileged attacker to bypass intended access restrictions and disclose
    or modify repository content.
    
    As a workaround it is also possible to set SVNPathAuthz to "on" but be
    advised that this can result in a performance decrease for large
    repositories.
    
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1.5.1dfsg1-5.
    
    For the testing distribution (squeeze), this problem has been fixed in
    version 1.6.12dfsg-2.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 1.6.12dfsg-2.
    
    
    We recommend that you upgrade your samba packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5.diff.gz
        Size/MD5 checksum:    91687 44dd10c3137760240bb56a100ca4cba6
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5.dsc
        Size/MD5 checksum:     1845 7878e43c2c80e0a6c07b96d797dfde86
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1.orig.tar.gz
        Size/MD5 checksum:  6805740 09a95bbc203ec516db796bd40d612403
    
    Architecture independent packages:
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-doc_1.5.1dfsg1-5_all.deb
        Size/MD5 checksum:  1937436 69a2e5adf8a482d288e3f29357d10194
      https://security.debian.org/pool/updates/main/s/subversion/subversion-tools_1.5.1dfsg1-5_all.deb
        Size/MD5 checksum:   181958 000312b36cc4ff900c4479df748c0172
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby_1.5.1dfsg1-5_all.deb
        Size/MD5 checksum:      764 6fced63bde9227b8f7671fb33cb2d7b1
    
    alpha architecture (DEC Alpha)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:   533438 7a199374ac5459a5b67e319917037004
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:  1294012 f35e99abaf9514e824baec6be8585fb2
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:   899446 d41aa5920720619965450703f3c8fe49
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:   151234 a153898b355944200fd0187202d49500
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:  1193012 5ea6e2cc6567bfc3d9a96cdb99255a3e
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:  1150232 fa24f3c490f6097f028b258c64d8c4f1
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_alpha.deb
        Size/MD5 checksum:  1565150 d41477926238b46ae2e15a9c87299ac0
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:  1283396 28dcf742f9807ea42333e288b2d8204b
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:   285336 8bc405f1733103bdc1f8adc4ee9ccc60
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:   150352 4fd2dacd30026f3ce29dc4cfe0060487
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:  1211864 a26e60f59bff282e1e9475eacb7bcdcc
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:   864300 698f5b201980f3a46dc699bab55b83ec
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:  1219570 fbdcfa0d608b0a3366aae42c0efea222
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:  1081856 0df403c57d9c7029122c1f3026cf3624
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_amd64.deb
        Size/MD5 checksum:   561334 fbea124e749f15b8f2eb0435b9373c2d
    
    armel architecture (ARM EABI)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:  1079482 9d876a12091cd7d085c35a75ad923e81
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:   755496 fb35757f0a6fb6a407e7896650e88f0d
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:  1008056 411b3292372bf1063f939dd81362ebad
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:  1265200 b0da7f200016785630e7a5cc2bd232e7
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:   270450 76f0839388b1154945866442a181ce80
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:  1007228 b543718e22e8f03f2f415a352182468e
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:   145458 0dbeb3bd0e2c5ed331d5197ff71d0660
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_armel.deb
        Size/MD5 checksum:   486476 f1eb839928409d7d24ce233b54addde6
    
    hppa architecture (HP PA RISC)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:  1027356 2861729258f5f25f0bb164c5c55a27b7
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:  1254650 2125678a8e2385e447cedf96b6e17914
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:   905772 3c4339c885e3bcfaaa1fbcb1d4f341f0
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:  1295962 06d94ae1bb59ca4ace1f883ea7d7418d
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:   156242 cd8bd3ea65add9a291924753cff55b20
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:   588142 ec7dfe6df0dfe58c82cf74a32a7ca667
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_hppa.deb
        Size/MD5 checksum:  1291430 b2b91b912030d496c93af1118b83a17e
    
    i386 architecture (Intel ia32)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:  1074718 0d5f86bc8b50868ed99fd22de2299c14
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:   282014 c5396f219d33502ee0ba6cfd1524d93a
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:  1032258 fea5736294397cbe8cae51171525d268
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:   796404 11e2a23a29bf55d8a5cd7f590bbdf36c
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:  1271350 bdfae53cb17918c53fe2c4bbc42d8f75
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:   145800 8ec9eecc3aa2c0465ae46fee45e05f99
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:   477000 8a147188a35241faeac5ab6888489f1a
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_i386.deb
        Size/MD5 checksum:  1021338 08f8a6a05a8d7471a32bcab7cf162a83
    
    ia64 architecture (Intel ia64)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:  1413864 84c77d2aabb03897b7410f05f26a57a9
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:  1461180 94667513edaadb3d78a88ed03591008e
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:   175784 9c7df1e0e7724919269cc1da319555b3
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:  1622990 2127f6e7b7151c8f47761a18ba08a2dd
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:   722714 18ed5dc94721ab1595daab3c02e0de23
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:  1150024 f34b0db4e7ebf919666db0f57b8d5591
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:   303334 0a079f6612ee1b4ac7a583b9ef67fee4
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_ia64.deb
        Size/MD5 checksum:  1346014 c7857b73866f98eeef2022c9ac57e6ed
    
    mips architecture (MIPS (Big Endian))
    
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:   977188 7b7d51612243195e5156598fc02329b1
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:   143056 a444d612b30599bbd91ceafebed33c0a
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:  1291450 813a471bd646f4ce4c80b18fe3fe7897
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:   780626 17b703bf018936efd90c130fc75c8804
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:   726576 54599e99dbd1d9d2781f84c091451cf0
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:   431282 a7d5de9575b192b910ae2b8f6da596b7
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_mips.deb
        Size/MD5 checksum:  1278244 5e9e1f6136a7edbbfc537e5308bfb2b5
    
    mipsel architecture (MIPS (Little Endian))
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:   778638 521e2fe9cbf6b61f097060eeae5c0e42
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:   143196 419015f1cd73779a504e1541af596d89
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:   950776 117b465365cd0c4ad63ec7711b12c026
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:   424336 96946525ffedbe47daae09b1700d7dec
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:  1276544 359830f00320d396749aecca8ea366e5
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:   720216 1874c5f527f99b1c014a41e2d11c6453
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_mipsel.deb
        Size/MD5 checksum:  1287646 f20ea0befa3d37159bd942e872714c37
    
    powerpc architecture (PowerPC)
    
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:  1309342 3fc631a35f69d912998e341127cacf8d
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:  1129310 f27b7820ede925740d8c9766800a6749
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:   293052 7b5cea363816832c40d9deb8d0cf4ebe
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:  1211154 a06326b622c439df7358155a2416a379
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:   891340 728cc7a7fba53cb468f39b751fa1eebd
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:   539724 b30c1d6b126660abc633dc43073cacfe
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:   156110 9be01af660ef7402f4275cc21c37608c
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_powerpc.deb
        Size/MD5 checksum:  1120060 d6591d088fe879f5094c84e8b839d8b0
    
    s390 architecture (IBM S/390)
    
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:  1147140 546e0538fa3b7ecb96e53ccce638a290
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:   525536 7b8ef26f1cdba48838a1bee9a4a347cc
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:  1295362 586d80be57e1568a54db74f9486eeca3
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:   283310 50e24ceb2aa44e5404d09f6ae5ba4618
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:   153672 adea0d2ad7c264b70641a036c32790e7
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:   850932 3d87c9a80e8e67bd98d222bcaa5983a1
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:   867490 02ce0a908b9b354b7bcf740004bee6cb
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_s390.deb
        Size/MD5 checksum:  1167094 4e42c8d4951648a2427f691ce574edaa
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:  1083012 1f7d508a4fecdbb5d27cf8881425f115
      https://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:   145080 4c22a42819c8cfa53b7cd52b81fa9174
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:   491828 332f1d25029aa4cefc30bf831a6f3b79
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:   277138 e2b536c3016240307f80980d2d7e2a14
      https://security.debian.org/pool/updates/main/s/subversion/subversion_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:  1274640 becab26e59f0736703e7dc20320c8d10
      https://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:   742790 bd00aad310f314101f6c28467dcc14f8
      https://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:  1017700 5ff6c6e4035e9c1c83c23cd39da46560
      https://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.5.1dfsg1-5_sparc.deb
        Size/MD5 checksum:  1072676 8b24094ba1a0af57eec6d4e61ad23313
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb https://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and https://packages.debian.org/
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"7","type":"x","order":"1","pct":100,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.