Bugzilla – Bug 850667
VUL-0: CVE-2013-4505: subversion: mod_dontdothat does not restrict requests from serf based clients
Last modified: 2014-01-27 09:50:36 UTC
CVE-2013-4505 and CVE-2013-4558: mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat. Known vulnerable: ================= mod_dontdothat 1.4.0 through 1.7.13 mod_dontdothat 1.8.0 through 1.8.4 Note that mod_dontdothat was in contrib until 1.7.3 and contrib is not included in Subversion source tarballs since 1.7.0, so Subversion 1.7.0 through 1.7.2 did not included mod_dontdothat (it was still available from the repository tags for those versions under contrib). Known fixed: ============ mod_dontdothat 1.7.14 mod_dontdothat 1.8.5
Hi, why are there two CVEs? I've found all relevant upstream commits for 1.8.x: https://github.com/apache/subversion/commit/5f1948467a0bb1e8d352aee7cc638c68ee2ca285 https://github.com/apache/subversion/commit/83e7f2efe56b6d00ceaa9cd9549b84cf6c23d4f7 hope that 1.7 won't be that much different.
CVE-2013-4558 is related with mod_dav_svn: When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort. Known vulnerable: ================= mod_dav_svn 1.7.0 through 1.7.13 mod_dav_svn 1.8.0 through 1.8.4 Known fixed: ============ mod_dav_svn 1.7.14 mod_dav_svn 1.8.5 Recommendations: ================ We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or newer. Disabling SVNAutoversioning will avoid the problem. Building Subversion with assertions disabled will avoid the problem. This can be done using the -disable-debug option to configure on *nix and by using a Release buld profile on Windows.
Hi, I've been looking into issue, but moda_dav_svn have changed between 1.6.17 in SP2 and 1.7.14. There are two changes between 1.7.13 and 1.7.14 * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al) * mod_dav_svn: canonicalize paths properly (r1542071) Code from r1537360[1] fixes dav_svn__translate_name, introduced by[2] which is not in sle11 version of sle. And followup commits 1542042[3] and 1541790[4] do mostly the same. [1] https://github.com/apache/subversion/commit/354439f004af51c3b09966283ea484f107a81134 [2] https://github.com/apache/subversion/commit/2773387d3e67ea5504b7944474973c9bf2393650 [3] https://github.com/apache/subversion/commit/2651095ad9cbc6589e896eed3f631571f12622e5 [4] https://github.com/apache/subversion/commit/bed9114938b0517a672b355ba2b3651127a1c35a I would recommend to use only [5] as this is what should prevent the assertion. [5] https://github.com/apache/subversion/commit583d13e9c5bd9131b623f5c25751757cc9b128e9 Can you make an eyeshot on that?
submitted with canonical path patch for mod_dav_svn
yes, the https://github.com/apache/subversion/commit/583d13e9c5bd9131b623f5c25751757cc9b128e9 looks good
openSUSE-SU-2013:1836-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 850667,850747 CVE References: CVE-2013-4505,CVE-2013-4558 Sources used: openSUSE 13.1 (src): subversion-1.8.5-2.11.1
openSUSE-SU-2013:1860-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 850667,850747 CVE References: CVE-2013-4505,CVE-2013-4558 Sources used: openSUSE 12.3 (src): subversion-1.7.14-2.22.1 openSUSE 12.2 (src): subversion-1.7.14-4.30.1
The SWAMPID for this issue is 55549. This issue was rated as moderate. Please submit fixed packages until 2013-12-31. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Is SLE11-SP3 not needed?
There is no SUSE:SLE-11-SP3:GA/subversion, so SP2 submission will be used on SP3.
rekleased
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-STUDIOONSITE 1.3 (x86_64)
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0129-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 850667 CVE References: CVE-2013-4505,CVE-2013-4558 Sources used: SUSE Studio Onsite 1.3 (src): subversion-1.6.17-1.25.1 SUSE Linux Enterprise Software Development Kit 11 SP3 (src): subversion-1.6.17-1.25.1 SUSE Linux Enterprise Software Development Kit 11 SP2 (src): subversion-1.6.17-1.25.1