Bugzilla – Bug 836245
VUL-1: CVE-2013-4277: subversion: Apache Subversion maintenance release 1.7.13
Last modified: 2013-12-13 13:06:20 UTC
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 from https://svn.apache.org/viewvc/subversion/tags/1.7.13/CHANGES?revision=1516638&view=markup Version 1.7.13 (29 Aug 2013, from /branches/1.7.x) http://svn.apache.org/repos/asf/subversion/tags/1.7.13 User-visible changes: - General * merge: fix bogus mergeinfo with conflicting file merges (issue #4306) * diff: fix duplicated path component in '--summarize' output (issue #4408) * ra_serf: ignore case when checking certificate common names (r1514763) - Server-side bugfixes: * svnserve: fix creation of pid files (r1516556) * mod_dav_svn: better status codes for commit failures (r1490684) * mod_dav_svn: do not map requests to filesystem (r1512432 et al) Developer-visible changes: - General: * support linking against gssapi on Solaris 10 (r1515068) * don't use uninitialized variable to produce an error code (r1482282) - Bindings: * swig-pl: fix SVN::Client not honoring config file settings (r150744) * swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119) Version 1.7.12 (Not released, see changes for 1.7.13.) Reproducible: Always Steps to Reproduce: 1. 2. 3.
CVE details to follow when public
1.7.13: CVE-2013-4246: svnserve: symlink attack against pid file
Maintenance request for this security update: https://build.opensuse.org/request/show/196922
(In reply to comment #2) > 1.7.13: > CVE-2013-4246: svnserve: symlink attack against pid file Mistake from upstream. This is actually: CVE-2013-4277: svnserve: symlink attack against pid file https://build.opensuse.org/request/show/196923
SLE11 SP2/3 is also effected by this. SLE10 SP4 is not effected.
Created attachment 555545 [details] CVE-2013-4277 fix against subversion-1.8.
In SLE11 the effected file is subversion/svnserve/main.c.
Advisory: https://subversion.apache.org/security/CVE-2013-4277-advisory.txt I see that updates for openSUSE are on their way: https://build.opensuse.org/project/monitor/openSUSE:Maintenance:1980 In relation to that, the Apache Subversion PMC said that this was pre-notified to the security team one week prior to the release. Is this working for us? (e.g. are we responding in an appropriate fashion, e.g. private notification to package maintainers)
Thanks Andreas! It looks like we didn't get any pre-notification for this issue. The easiest way would be a heads-up to security@suse.de. It's even possible to use GPG (Key ID: 3D25D3D9).
(In reply to comment #9) > Thanks Andreas! It looks like we didn't get any pre-notification for this > issue. > > The easiest way would be a heads-up to security@suse.de. It's even possible to > use GPG (Key ID: 3D25D3D9). Apache Subversion PMC said that the pre-notifications should be fixed now. http://colabti.org/irclogger/irclogger_log/svn-dev?date=2013-09-04#l133 If you get this info before me for future events, please cc me on the private VUL-* bug and I will prepare and test updates for openSUSE in branch projects without public source access.
I've backported the fix for subversion 1.6 - sent as 28742
openSUSE-SU-2013:1442-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 836245 CVE References: CVE-2013-4277 Sources used: openSUSE 12.3 (src): subversion-1.7.13-2.16.1 openSUSE 12.2 (src): subversion-1.7.13-4.24.1
openSUSE-SU-2013:1485-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 836245 CVE References: CVE-2013-4277 Sources used: openSUSE 11.4 (src): subversion-1.6.23-55.2
The SWAMPID for this issue is 54537. This issue was rated as important. Please submit fixed packages until 2013-10-03. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
released
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-STUDIOONSITE 1.3 (x86_64)
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
openSUSE-SU-2013:1869-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 528714,649861,662030,713919,788015,794676,830031,836245,850747 CVE References: CVE-2010-3315,CVE-2010-4539,CVE-2010-4644,CVE-2013-1884,CVE-2013-4131,CVE-2013-4505,CVE-2013-4558 Sources used: openSUSE 11.4 (src): subversion-1.7.14-59.1