SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Subversion Vendors:   Apache Software Foundation, subversion.tigris.org
(CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1033309
SecurityTracker URL:  http://securitytracker.com/id/1033309
CVE Reference:   CVE-2015-3187   (Links to External Site)
Date:  Aug 18 2015
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.7.0 to 1.7.20, 1.8.0 to 1.8.13
Description:   Two vulnerabilities were reported in Apache Subversion. A remote user can obtain potentially sensitive information on the target system.

A remote user can supply a specially crafted path value to exploit a flaw in mod_authz_svn to gain access to potentially sensitive information from an ostensibly hidden repository [CVE-2015-3184].

Repositories configured for anonymous read are affected.

[Editor's note: This vulnerability has been assigned CVE-2015-3185 for the Apache httpd.]

A remote authenticated user can exploit a flaw in svn_repos_trace_node_locations() to view path names that are ostensibly hidden by authz [CVE-2015-3187].

C. Michael Pilato of CollabNet reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information from an ostensibly hidden repository.

A remote authenticated user can view ostensibly hidden path names.

Solution:   CentOS has issued a fix for CVE-2015-3187.

i386:
a73c3f05e7df9e6da3bf1a1249a3e63a9e69eb33c7f57620cf3f5d230ea19749 mod_dav_svn-1.6.11-15.el6_7.i686.rpm
957d575f03e8a90d4d322ee222f5dce9b7389ba9bb76b399ce15e1c3c2886c89 subversion-1.6.11-15.el6_7.i686.rpm
19cccbdd298f24f9ce3b8ad0f5c61c1cb7708fccc5468665e44a33579d0f23ac subversion-devel-1.6.11-15.el6_7.i686.rpm
319f8cd0322d0ad5d29676bbcb63aea62692005a38fe6f94efdc48951e07c411 subversion-gnome-1.6.11-15.el6_7.i686.rpm
1f57fa32fb9488f594c7e735a8f33a7a96d8f8f86eeef3349920aa0ace51b75c subversion-javahl-1.6.11-15.el6_7.i686.rpm
b5eab1238ee2d55cbfa730ec827091e2eb89cbabdfa9ac5468d2c90a92768a9b subversion-kde-1.6.11-15.el6_7.i686.rpm
66aca66c822e96d10f20bb4267688dcfad22dd583a83d703f801bdafc1498058 subversion-perl-1.6.11-15.el6_7.i686.rpm
bb2f2259f13dfc122f9f982938bd38eee88a1db97d65e4e1c71785a3ffb465d0 subversion-ruby-1.6.11-15.el6_7.i686.rpm
9f7bef8b2e82d09f8ce9b228cf1bffb7b697c35e5310b1d7dd20d9a873473cd3 subversion-svn2cl-1.6.11-15.el6_7.noarch.rpm

x86_64:
80bb32d4fa56752eb52b3b41e9ff93f2f893468e44494f585e9f03f0367ac390 mod_dav_svn-1.6.11-15.el6_7.x86_64.rpm
957d575f03e8a90d4d322ee222f5dce9b7389ba9bb76b399ce15e1c3c2886c89 subversion-1.6.11-15.el6_7.i686.rpm
9e2b8e7c6f01fda22fc5652dff574b39e077d31e4205d42cbc5c344315414050 subversion-1.6.11-15.el6_7.x86_64.rpm
19cccbdd298f24f9ce3b8ad0f5c61c1cb7708fccc5468665e44a33579d0f23ac subversion-devel-1.6.11-15.el6_7.i686.rpm
07021ce765b43d43ec2cabdcc7ad3b3d08a7ea0d0200963db28fe2703dc7f0e2 subversion-devel-1.6.11-15.el6_7.x86_64.rpm
319f8cd0322d0ad5d29676bbcb63aea62692005a38fe6f94efdc48951e07c411 subversion-gnome-1.6.11-15.el6_7.i686.rpm
03c6a31fff5d8da192aa668dacac7ce923f857d5b58b6269222d6dd9dd907dc3 subversion-gnome-1.6.11-15.el6_7.x86_64.rpm
1f57fa32fb9488f594c7e735a8f33a7a96d8f8f86eeef3349920aa0ace51b75c subversion-javahl-1.6.11-15.el6_7.i686.rpm
979c515e416a892bdee6ef828e6f32d1c90e067ea2721cc8fcb28e436106ef8e subversion-javahl-1.6.11-15.el6_7.x86_64.rpm
b5eab1238ee2d55cbfa730ec827091e2eb89cbabdfa9ac5468d2c90a92768a9b subversion-kde-1.6.11-15.el6_7.i686.rpm
f1da4a0315e81ab95f802bc123230f2f4b35994f8671be3221b99c18a9b8e04b subversion-kde-1.6.11-15.el6_7.x86_64.rpm
66aca66c822e96d10f20bb4267688dcfad22dd583a83d703f801bdafc1498058 subversion-perl-1.6.11-15.el6_7.i686.rpm
c35ebf0598eb5c454c8c42f554369c78e9089c67397b694da06180322760c57e subversion-perl-1.6.11-15.el6_7.x86_64.rpm
bb2f2259f13dfc122f9f982938bd38eee88a1db97d65e4e1c71785a3ffb465d0 subversion-ruby-1.6.11-15.el6_7.i686.rpm
9dc8cd30d07bbe3bd51f755fa91ff7c3dbe0b3b4398bf3c53f0495b40ffd46ad subversion-ruby-1.6.11-15.el6_7.x86_64.rpm
9f7bef8b2e82d09f8ce9b228cf1bffb7b697c35e5310b1d7dd20d9a873473cd3 subversion-svn2cl-1.6.11-15.el6_7.noarch.rpm

Source:
0e98fdcd3c963e95745eea88606a699240e9fdd103c7591c9d979e8571e385eb subversion-1.6.11-15.el6_7.src.rpm

Cause:   Access control error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Aug 7 2015 Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1633 Moderate CentOS 6 subversion Security Update


CentOS Errata and Security Advisory 2015:1633 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1633.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
a73c3f05e7df9e6da3bf1a1249a3e63a9e69eb33c7f57620cf3f5d230ea19749  mod_dav_svn-1.6.11-15.el6_7.i686.rpm
957d575f03e8a90d4d322ee222f5dce9b7389ba9bb76b399ce15e1c3c2886c89  subversion-1.6.11-15.el6_7.i686.rpm
19cccbdd298f24f9ce3b8ad0f5c61c1cb7708fccc5468665e44a33579d0f23ac  subversion-devel-1.6.11-15.el6_7.i686.rpm
319f8cd0322d0ad5d29676bbcb63aea62692005a38fe6f94efdc48951e07c411  subversion-gnome-1.6.11-15.el6_7.i686.rpm
1f57fa32fb9488f594c7e735a8f33a7a96d8f8f86eeef3349920aa0ace51b75c  subversion-javahl-1.6.11-15.el6_7.i686.rpm
b5eab1238ee2d55cbfa730ec827091e2eb89cbabdfa9ac5468d2c90a92768a9b  subversion-kde-1.6.11-15.el6_7.i686.rpm
66aca66c822e96d10f20bb4267688dcfad22dd583a83d703f801bdafc1498058  subversion-perl-1.6.11-15.el6_7.i686.rpm
bb2f2259f13dfc122f9f982938bd38eee88a1db97d65e4e1c71785a3ffb465d0  subversion-ruby-1.6.11-15.el6_7.i686.rpm
9f7bef8b2e82d09f8ce9b228cf1bffb7b697c35e5310b1d7dd20d9a873473cd3  subversion-svn2cl-1.6.11-15.el6_7.noarch.rpm

x86_64:
80bb32d4fa56752eb52b3b41e9ff93f2f893468e44494f585e9f03f0367ac390  mod_dav_svn-1.6.11-15.el6_7.x86_64.rpm
957d575f03e8a90d4d322ee222f5dce9b7389ba9bb76b399ce15e1c3c2886c89  subversion-1.6.11-15.el6_7.i686.rpm
9e2b8e7c6f01fda22fc5652dff574b39e077d31e4205d42cbc5c344315414050  subversion-1.6.11-15.el6_7.x86_64.rpm
19cccbdd298f24f9ce3b8ad0f5c61c1cb7708fccc5468665e44a33579d0f23ac  subversion-devel-1.6.11-15.el6_7.i686.rpm
07021ce765b43d43ec2cabdcc7ad3b3d08a7ea0d0200963db28fe2703dc7f0e2  subversion-devel-1.6.11-15.el6_7.x86_64.rpm
319f8cd0322d0ad5d29676bbcb63aea62692005a38fe6f94efdc48951e07c411  subversion-gnome-1.6.11-15.el6_7.i686.rpm
03c6a31fff5d8da192aa668dacac7ce923f857d5b58b6269222d6dd9dd907dc3  subversion-gnome-1.6.11-15.el6_7.x86_64.rpm
1f57fa32fb9488f594c7e735a8f33a7a96d8f8f86eeef3349920aa0ace51b75c  subversion-javahl-1.6.11-15.el6_7.i686.rpm
979c515e416a892bdee6ef828e6f32d1c90e067ea2721cc8fcb28e436106ef8e  subversion-javahl-1.6.11-15.el6_7.x86_64.rpm
b5eab1238ee2d55cbfa730ec827091e2eb89cbabdfa9ac5468d2c90a92768a9b  subversion-kde-1.6.11-15.el6_7.i686.rpm
f1da4a0315e81ab95f802bc123230f2f4b35994f8671be3221b99c18a9b8e04b  subversion-kde-1.6.11-15.el6_7.x86_64.rpm
66aca66c822e96d10f20bb4267688dcfad22dd583a83d703f801bdafc1498058  subversion-perl-1.6.11-15.el6_7.i686.rpm
c35ebf0598eb5c454c8c42f554369c78e9089c67397b694da06180322760c57e  subversion-perl-1.6.11-15.el6_7.x86_64.rpm
bb2f2259f13dfc122f9f982938bd38eee88a1db97d65e4e1c71785a3ffb465d0  subversion-ruby-1.6.11-15.el6_7.i686.rpm
9dc8cd30d07bbe3bd51f755fa91ff7c3dbe0b3b4398bf3c53f0495b40ffd46ad  subversion-ruby-1.6.11-15.el6_7.x86_64.rpm
9f7bef8b2e82d09f8ce9b228cf1bffb7b697c35e5310b1d7dd20d9a873473cd3  subversion-svn2cl-1.6.11-15.el6_7.noarch.rpm

Source:
0e98fdcd3c963e95745eea88606a699240e9fdd103c7591c9d979e8571e385eb  subversion-1.6.11-15.el6_7.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC