SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Subversion Vendors:   Apache Software Foundation, subversion.tigris.org
Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
SecurityTracker Alert ID:  1033214
SecurityTracker URL:  http://securitytracker.com/id/1033214
CVE Reference:   CVE-2015-0248, CVE-2015-0251   (Links to External Site)
Date:  Aug 7 2015
Impact:   Denial of service via network, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.5.0 - 1.7.19, 1.8.0 - 1.8.11
Description:   Two vulnerabilities were reported in Apache Subversion. A remote user can cause denial of service conditions on the target system. A remote authenticated user can spoof the author name.

A remote user can send specially crafted parameters to the target mod_dav_svn and svnserve services to cause the target service to crash [CVE-2015-0248].

Evgeny Kotkov, VisualSVN, reported this vulnerability.

A remote user can exploit a flaw in the target mod_dav_svn server and set the 'svn:author' property to an arbitrary value when committing new revisions [CVE-2015-0251].

Ivan Zhakov, VisualSVN, reported this vulnerability.

Impact:   A remote user can cause the target service to crash.

A remote authenticated user can spoof the author name.

Solution:   The vendor has issued a fix (1.7.20, 1.8.13) [in April 2015].

The vendor's advisories are available at:

http://subversion.apache.org/security/CVE-2015-0248-advisory.txt
http://subversion.apache.org/security/CVE-2015-0251-advisory.txt

Vendor URL:  subversion.apache.org/security/CVE-2015-0248-advisory.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 18 2015 (Red Hat Issues Fix) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Aug 18 2015 (CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
CentOS has issued a fix for CentOS Linux 6.
Aug 18 2015 (Oracle Issues Fix for Oracle Linux) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Oracle has issued a fix for Oracle Linux 6.
Aug 21 2015 (Ubuntu Issues Fix) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, and 15.04.
Sep 8 2015 (Red Hat Issues Fix) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Sep 9 2015 (CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
CentOS has issued a fix for CentOS Linux 7.
Sep 9 2015 (Oracle Issues Fix for Oracle Linux) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Oracle has issued a fix for Oracle Linux 7.
Sep 17 2015 (Apple Issues Fix for Apple Xcode) Apache Subversion Bugs Let Remote Users Deny Service and Remote Authenticated Users Spoof Author Names
Apple has issued a fix for Apple Xcode.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC