Bugzilla – Bug 939514
VUL-0: CVE-2015-3184: subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4
Last modified: 2017-08-17 14:40:03 UTC
Summary ======= Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. Known vulnerable ================ Apache httpd 2.4.0 to 2.4.12 Apache Subversion 1.8.0 to 1.8.13 Apache Subversion 1.7.0 to 1.7.20 Servers are vulnerable if either httpd or Subversion is as listed. Subversion 1.6 does not build with httpd 2.4 and servers using httpd 2.2 are not vulnerable. Servers that are configured to deny anonymous access are not vulnerable. Known fixed =========== Apache httpd 2.4.13 Apache Subversion 1.8.14 and 1.7.21 Both httpd and Subversion need to be updated. Details ======= If you have a Subversion repository configured for anonymous read that has mod_authz_svn configured such that some portion of the repository is hidden from an anonymous user, then in certain cases when Subversion is used with Apache httpd 2.4.x the file contents of the repository may be exposed to someone who knows the path name within the repository. The protected files and directories will not show on directory listings. Protected directories that do not show in their parent will return an empty directory listing rather than a 403 error. Protected files will return the full content of the file. Specifically the conditions required for this to happen is that there needs to be a <Directory> block for the DocumentRoot allowing access to everyone (e.g. Require all granted) and "Satisfy any" must not be set. This sort of configuration is included in the default httpd.conf that `make install` provides and is fairly standard. Severity ======== CVSSv2 Base Score: 4.3 CVSSv2 Base Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N The repository needs to be configured with mixed anonymous and authenticated path-based authz and the the attacker needs to know the paths to files in the repository that require authentication. Recommendations =============== All users of mixed anonymous/authenticated authz to upgrade Apache and Subversion. As a workaround disable mixed anonymous/authenticated authz. References ========== CVE-2015-3184 (Subversion) CVE-2015-3185 (httpd) Reported by =========== C. Michael Pilato, CollabNet
Created attachment 642015 [details] patch for 1.7.20
Created attachment 642016 [details] patch for 1.8.13
bugbot adjusting priority
Adding to CC a community member who is a member of the upstream project and aware of the advisory and embargoed information.
This is an autogenerated message for OBS integration: This bug (939514) was mentioned in https://build.opensuse.org/request/show/320903 Factory / subversion https://build.opensuse.org/request/show/320904 13.2 / subversion
This is an autogenerated message for OBS integration: This bug (939514) was mentioned in https://build.opensuse.org/request/show/320911 13.1 / subversion
This is an autogenerated message for OBS integration: This bug (939514) was mentioned in https://build.opensuse.org/request/show/320945 Factory / subversion
public
openSUSE-SU-2015:1401-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 939514,939517 CVE References: CVE-2015-3184,CVE-2015-3187 Sources used: openSUSE 13.2 (src): subversion-1.8.14-2.17.1 openSUSE 13.1 (src): subversion-1.8.14-2.39.1
released
SUSE-SU-2015:1473-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 939514,939517 CVE References: CVE-2015-3184,CVE-2015-3187 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): subversion-1.8.10-15.1
openSUSE-SU-2015:2363-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 939514,939517,958300 CVE References: CVE-2015-3184,CVE-2015-3187,CVE-2015-5343 Sources used: openSUSE Leap 42.1 (src): subversion-1.8.10-6.1
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1