Scientific Linux: CVE-2010-3315 Moderate: Subversion Security Fix

Mar 04, 2011 •

LinuxSecurity Advisories

2 - 3 min read

Scientific Large Esm H500

Topics Covered

security advisory subversion update access control memory leak crash risk Scientific Linux

Moderate: subversion security update

Date: Fri, 4 Mar 2011 14:47:11 -0600
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux

From: Troy Dawson 
Subject: Security ERRATA Moderate: subversion on SL6.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."

Synopsis:	Moderate: subversion security update
Issue date:	2011-02-15
CVE Names:	CVE-2010-3315 CVE-2010-4539 CVE-2010-4644

An access restriction bypass flaw was found in the mod_dav_svn module.
If the SVNPathAuthz directive was set to "short_circuit", certain access
rules were not enforced, possibly allowing sensitive repository data to
be leaked to remote users. Note that SVNPathAuthz is set to "On" by
default. (CVE-2010-3315)

A server-side memory leak was found in the Subversion server. If a
malicious, remote user performed "svn blame" or "svn log" operations on
certain repository files, it could cause the Subversion server to
consume a large amount of system memory. (CVE-2010-4644)

A NULL pointer dereference flaw was found in the way the mod_dav_svn
module processed certain requests. If a malicious, remote user issued a
certain type of request to display a collection of Subversion
repositories on a host that has the SVNListParentPath directive enabled,
it could cause the httpd process serving the request to crash. Note that
SVNListParentPath is not enabled by default. (CVE-2010-4539)

After installing the updated packages, the Subversion server must be
restarted for the update to take effect: restart httpd if you are using
mod_dav_svn, or restart svnserve if it is used.

SL 6.x

 SRPMS:
subversion-1.6.11-2.el6_0.2.src.rpm
 i386:
mod_dav_svn-1.6.11-2.el6_0.2.i686.rpm
subversion-1.6.11-2.el6_0.2.i686.rpm
subversion-devel-1.6.11-2.el6_0.2.i686.rpm
subversion-gnome-1.6.11-2.el6_0.2.i686.rpm
subversion-javahl-1.6.11-2.el6_0.2.i686.rpm
subversion-kde-1.6.11-2.el6_0.2.i686.rpm
subversion-perl-1.6.11-2.el6_0.2.i686.rpm
subversion-ruby-1.6.11-2.el6_0.2.i686.rpm
subversion-svn2cl-1.6.11-2.el6_0.2.noarch.rpm
 x86_64:
mod_dav_svn-1.6.11-2.el6_0.2.x86_64.rpm
subversion-1.6.11-2.el6_0.2.i686.rpm
subversion-1.6.11-2.el6_0.2.x86_64.rpm
subversion-devel-1.6.11-2.el6_0.2.i686.rpm
subversion-devel-1.6.11-2.el6_0.2.x86_64.rpm
subversion-gnome-1.6.11-2.el6_0.2.i686.rpm
subversion-gnome-1.6.11-2.el6_0.2.x86_64.rpm
subversion-javahl-1.6.11-2.el6_0.2.i686.rpm
subversion-javahl-1.6.11-2.el6_0.2.x86_64.rpm
subversion-kde-1.6.11-2.el6_0.2.i686.rpm
subversion-kde-1.6.11-2.el6_0.2.x86_64.rpm
subversion-perl-1.6.11-2.el6_0.2.i686.rpm
subversion-perl-1.6.11-2.el6_0.2.x86_64.rpm
subversion-ruby-1.6.11-2.el6_0.2.i686.rpm
subversion-ruby-1.6.11-2.el6_0.2.x86_64.rpm
subversion-svn2cl-1.6.11-2.el6_0.2.noarch.rpm

-Connie Sieh
-Troy Dawson

Powered By

Linux Security Footer

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Your message here