Bugzilla – Bug 889849
VUL-0: CVE-2014-3528: subversion: Apache Subversion might reveal authentication information through md5 collision attack on authentication realm
Last modified: 2014-09-08 13:00:09 UTC
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0 Apache Subversion might reveal authentication information through an md5 collision attack on authentication realm. An attacker would need to trick the potential victim to connect to a subversion repository he controls and present a special realm string to be transmitted authentication information. Patches: http://svn.apache.org/r1550691 http://svn.apache.org/r1550772 Reference: http://mail-archives.apache.org/mod_mbox/subversion-dev/201407.mbox/%3C53DAB4A7.8030004%40reser.org%3E Reproducible: Didn't try
does this have a CVE already? if not we would ask on oss-sec
(In reply to comment #1) > does this have a CVE already? if not we would ask on oss-sec Not that I am aware of. security@apache.org was asked to get a CVE number assigned. http://mail-archives.apache.org/mod_mbox/subversion-dev/201407.mbox/%3C53DAB4A7.8030004%40reser.org%3E
There is a third revision in trunk: http://svn.apache.org/r1600909 (r1550691, r1550772, r1600909) Patch in Subversion 1.8.x branch: http://svn.apache.org/viewvc?view=revision&revision=1605944 http://svn.apache.org/viewvc/subversion/branches/1.8.x/subversion/libsvn_subr/config_auth.c?r1=1605944&r2=1605943&pathrev=1605944 Proposed patch for Subversion 1.7.x branch: http://svn.apache.org/viewvc?view=revision&revision=1600983 http://svn.apache.org/viewvc/subversion/branches/1.7.x-md5-collision/subversion/libsvn_subr/config_auth.c?r1=1600983&r2=1600982&pathrev=1600983
(In reply to comment #1) > does this have a CVE already? if not we would ask on oss-sec http://seclists.org/oss-sec/2014/q3/275: CVE-2014-3528
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (889849) was mentioned in https://build.opensuse.org/request/show/244258 13.1+12.3 / libserf+subversion
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-08-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58606
Affected packages: SLE-11-SP2: subversion SLE-11-SP3: subversion
openSUSE-SU-2014:1059-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 889849,890510,890511 CVE References: CVE-2014-3504,CVE-2014-3522,CVE-2014-3528 Sources used: openSUSE 13.1 (src): libserf-1.3.7-16.1, subversion-1.8.10-2.29.1 openSUSE 12.3 (src): libserf-1.1.1-2.4.1, subversion-1.7.18-2.36.1
SUSE-SU-2014:1071-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 889849 CVE References: CVE-2014-3528 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): subversion-1.6.17-1.29.1
released
SUSE-SU-2014:1071-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 889849 CVE References: CVE-2014-3528 Sources used: SUSE Studio Onsite 1.3 (src): subversion-1.6.17-1.29.1