Bugzilla – Bug 923793
VUL-0: CVE-2015-0202: subversion: mod_dav_svn with FSFS repositories remotely triggerable excessive memory use with certain REPORT requests
Last modified: 2017-08-17 14:42:07 UTC
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61279
Public via http://subversion.apache.org/security/CVE-2015-0202-advisory.txt Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may use excessive amounts of memory when processing REPORT requests that require traversing through a large number of FSFS repository nodes (files and directories). This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive) Known fixed: ============ Subversion 1.8.13 svnserve (any version) is not vulnerable Subversion 1.8.12 was not publicly released. Details: ======== Subversion FSFS repositories cache different types of data for performance reasons. An FSFS repository filesystem is structured as a direct acyclic graph (DAG), and it has a special cache for the DAG nodes. Subversion 1.8.0 added an additional level of caching for the DAG nodes, and the excessive memory use is a consequence of the cached nodes not being deallocated in a timely manner. HTTPD Server and Subversion use memory pools for allocations. Certain REPORT requests can trigger a state when the cache keeps allocating new elements from a pool, but the previously allocated elements are not being deallocated. This memory will be reclaimed eventually (once the request finishes or when the cache leaves the inappropriate state), but multiple parallel requests might ultimately exhaust all the available memory on the server. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers with FSFS repositories are vulnerable. Apache HTTPD servers that block potentially expensive requests via mod_dontdothat module have a smaller attack surface, but are still vulnerable. Actual memory consumption (per request) depends on the layout and size of the particular repository, but is potentially unbounded. The impact of using this memory varies wildly based on operating system and httpd configuration. Some operating systems may kill off processes or crash if too much memory is used. The Apache HTTPD configuration option of MaxRequestsPerChild may restart a process after a certain number of requests and limit the impact of accidental exercise of this issue. However, a determined attacker could repeat the requests and mitigate any countermeasures. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.13. Users of Subversion 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html There is no effective configuration that can mitigate the issue entirely however the use of ulimit (or the equivalent) to set memory limits for processes may help prevent the impact affecting other services running on the same machine. References: =========== CVE-2015-0202 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN
This is an autogenerated message for OBS integration: This bug (923793) was mentioned in https://build.opensuse.org/request/show/293791 Factory / subversion
This is an autogenerated message for OBS integration: This bug (923793) was mentioned in https://build.opensuse.org/request/show/293792 13.2+13.1 / subversion
Ok, this one should be done. SLE<12 not affected from what I can see.
openSUSE-SU-2015:0672-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 916286,923793,923794,923795 CVE References: CVE-2015-0202,CVE-2015-0248,CVE-2015-0251 Sources used: openSUSE 13.2 (src): subversion-1.8.13-2.14.1 openSUSE 13.1 (src): subversion-1.8.13-2.36.1
Releasing SLE 12 update
SUSE-SU-2015:0776-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 923793,923794,923795 CVE References: CVE-2015-0202,CVE-2015-0248,CVE-2015-0251 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): subversion-1.8.10-12.1
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1