Bugzilla – Bug 976850
VUL-0: CVE-2016-2168: subversion: mod_authz_svn: DoS in MOVE/COPY authorization check
Last modified: 2017-08-17 14:41:54 UTC
Created attachment 674227 [details] CVE-2016-2168-1.9.3.patch EMBARGOED CRD: 2016-04-28 Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check. Summary: ======== Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value. This allows remote attackers to cause a denial of service. Known vulnerable: ================= Subversion httpd servers 1.0.0 to 1.8.15 (inclusive) Subversion httpd servers 1.9.0 through 1.9.3 (inclusive) Subversion svnserve servers (any version) are not vulnerable Known fixed: ============ Subversion 1.8.16 Subversion 1.9.4 Details: ======== Subversion includes a separate server module, mod_authz_svn, which does path-based authorization on Subversion repositories. Authorizing a COPY or MOVE request requires additional checks for the destination of the request. This additional logic contains a flaw that will cause a null pointer dereference and a segmentation fault with certain invalid request headers. Exploiting this vulnerability requires the attacker to be authenticated on the targeted server. Since the flaw is in the authorization module, the attack does not require access to a particular repository. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. In order to take advantage of this attack the attacker would require to authenticate against the targeted server. The attack does not require read access to a particular repository. Servers which allow for anonymous reads will be vulnerable without authentication. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.9.4. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2016-2168 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN
bugbot adjusting priority
Public at: http://subversion.apache.org/security/CVE-2016-2168-advisory.txt http://svn.haxx.se/dev/archive-2016-04/0100.shtml http://svn.haxx.se/dev/archive-2016-04/0101.shtml
SUSE-SU-2016:1249-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 911620,969159,976849,976850 CVE References: CVE-2016-2167,CVE-2016-2168 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): subversion-1.8.10-21.1 SUSE Linux Enterprise Software Development Kit 12 (src): subversion-1.8.10-21.1
openSUSE-SU-2016:1263-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 911620,969159,976849,976850 CVE References: CVE-2016-2167,CVE-2016-2168 Sources used: openSUSE Leap 42.1 (src): subversion-1.8.10-9.1
openSUSE-SU-2016:1264-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 976849,976850,977424 CVE References: CVE-2016-2167,CVE-2016-2168 Sources used: openSUSE 13.2 (src): subversion-1.8.16-2.26.1
SUSE-SU-2016:1511-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 939517,976849,976850 CVE References: CVE-2015-3187,CVE-2016-2167,CVE-2016-2168 Sources used: SUSE Studio Onsite 1.3 (src): subversion-1.6.17-1.35.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): subversion-1.6.17-1.35.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): subversion-1.6.17-1.35.1
fixed
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1