SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Subversion Vendors:   Apache Software Foundation, subversion.tigris.org
(CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1033507
SecurityTracker URL:  http://securitytracker.com/id/1033507
CVE Reference:   CVE-2015-3184, CVE-2015-3187   (Links to External Site)
Date:  Sep 9 2015
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.7.0 to 1.7.20, 1.8.0 to 1.8.13
Description:   Two vulnerabilities were reported in Apache Subversion. A remote user can obtain potentially sensitive information on the target system.

A remote user can supply a specially crafted path value to exploit a flaw in mod_authz_svn to gain access to potentially sensitive information from an ostensibly hidden repository [CVE-2015-3184].

Repositories configured for anonymous read are affected.

[Editor's note: This vulnerability has been assigned CVE-2015-3185 for the Apache httpd.]

A remote authenticated user can exploit a flaw in svn_repos_trace_node_locations() to view path names that are ostensibly hidden by authz [CVE-2015-3187].

C. Michael Pilato of CollabNet reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information from an ostensibly hidden repository.

A remote authenticated user can view ostensibly hidden path names.

Solution:   CentOS has issued a fix.

x86_64:
1ac68982e8d6c3c4f08338e829f9b84b172f98107065097924fb229125151516 mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm
1319d6c52f045e1e43bcb45c6508d3791a17a255c9226cbc943906de3b34eab0 subversion-1.7.14-7.el7_1.1.i686.rpm
5761b0600d662fee4d1cc5c5507a5669648f1442d1f51751e54f773da8b9460f subversion-1.7.14-7.el7_1.1.x86_64.rpm
b883397028c9b71a8854f7dbbe7c5aff09cdd82b03444281d4cd3cedcfefc322 subversion-devel-1.7.14-7.el7_1.1.i686.rpm
e48a1950a59d980de126d690fa3f8e1be52f6f0735e7a4ef7e613229e126a9fb subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm
965bcce500931a97b42cdc8ef89b5643ebfba5aff1d7aebeba4aef0a201a67d7 subversion-gnome-1.7.14-7.el7_1.1.i686.rpm
44517d753fe363f67c81e4ad38bc41fc7119ba0bb658a43ebfa126b5e6e8a702 subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm
304267248f354b87b4f04f41721a03ba1b9ad8930d1601109b828396f8ddeacc subversion-javahl-1.7.14-7.el7_1.1.i686.rpm
1d1ab0cae3f01ecf9f21c886fc0aa81d9ac0b909c4b8840afb379747a613bd38 subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm
f7be0dc76695ba90e8c11b8f9bd62adf93e3c383f3329ff2dc318d4fea58e7c5 subversion-kde-1.7.14-7.el7_1.1.i686.rpm
5cd4c89e73bc8173e04748558a03fd95730f0863fbed3b007620bdf35f5d5741 subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm
26731c80577860969dee68da1009dd0816d54c149d8a8298f8213526c328a100 subversion-libs-1.7.14-7.el7_1.1.i686.rpm
eb70a5a6f846a83489ffb5b30d163a536382f5a8260f8d998467a1f37a126258 subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm
e0a58ae9d270a340db24c7a1982b9245b86f55924e5f6f532d3670e98799a5c6 subversion-perl-1.7.14-7.el7_1.1.i686.rpm
da31f9b3e092e50ecff8ae1c71e465b6b1099b9e057844ddc0699e970fb95683 subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm
5abb5f007da2bc855a86c79778116d45215555559cccbcee02ec2cec2edda9fe subversion-python-1.7.14-7.el7_1.1.x86_64.rpm
b954725e526255571c98895f67018d6e45de5d60656ae4909a81b3a24fa48e60 subversion-ruby-1.7.14-7.el7_1.1.i686.rpm
99720bc6cff9a2499cb83927bec535a06401c1765234435b8a194f60a22c0e17 subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm
2c9f4a74ee2c97a5c0c23aeef34ac10281ff04a6ed8c69934058309e1cc08cc8 subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm

Source:
2a4bffe27a66fd5f06362c6c8f5544558ccd38d76cda59145a6e9033d252d452 subversion-1.7.14-7.el7_1.1.src.rpm

Cause:   Access control error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Aug 7 2015 Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1742 Moderate CentOS 7 subversion Security Update


CentOS Errata and Security Advisory 2015:1742 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1742.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
1ac68982e8d6c3c4f08338e829f9b84b172f98107065097924fb229125151516  mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm
1319d6c52f045e1e43bcb45c6508d3791a17a255c9226cbc943906de3b34eab0  subversion-1.7.14-7.el7_1.1.i686.rpm
5761b0600d662fee4d1cc5c5507a5669648f1442d1f51751e54f773da8b9460f  subversion-1.7.14-7.el7_1.1.x86_64.rpm
b883397028c9b71a8854f7dbbe7c5aff09cdd82b03444281d4cd3cedcfefc322  subversion-devel-1.7.14-7.el7_1.1.i686.rpm
e48a1950a59d980de126d690fa3f8e1be52f6f0735e7a4ef7e613229e126a9fb  subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm
965bcce500931a97b42cdc8ef89b5643ebfba5aff1d7aebeba4aef0a201a67d7  subversion-gnome-1.7.14-7.el7_1.1.i686.rpm
44517d753fe363f67c81e4ad38bc41fc7119ba0bb658a43ebfa126b5e6e8a702  subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm
304267248f354b87b4f04f41721a03ba1b9ad8930d1601109b828396f8ddeacc  subversion-javahl-1.7.14-7.el7_1.1.i686.rpm
1d1ab0cae3f01ecf9f21c886fc0aa81d9ac0b909c4b8840afb379747a613bd38  subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm
f7be0dc76695ba90e8c11b8f9bd62adf93e3c383f3329ff2dc318d4fea58e7c5  subversion-kde-1.7.14-7.el7_1.1.i686.rpm
5cd4c89e73bc8173e04748558a03fd95730f0863fbed3b007620bdf35f5d5741  subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm
26731c80577860969dee68da1009dd0816d54c149d8a8298f8213526c328a100  subversion-libs-1.7.14-7.el7_1.1.i686.rpm
eb70a5a6f846a83489ffb5b30d163a536382f5a8260f8d998467a1f37a126258  subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm
e0a58ae9d270a340db24c7a1982b9245b86f55924e5f6f532d3670e98799a5c6  subversion-perl-1.7.14-7.el7_1.1.i686.rpm
da31f9b3e092e50ecff8ae1c71e465b6b1099b9e057844ddc0699e970fb95683  subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm
5abb5f007da2bc855a86c79778116d45215555559cccbcee02ec2cec2edda9fe  subversion-python-1.7.14-7.el7_1.1.x86_64.rpm
b954725e526255571c98895f67018d6e45de5d60656ae4909a81b3a24fa48e60  subversion-ruby-1.7.14-7.el7_1.1.i686.rpm
99720bc6cff9a2499cb83927bec535a06401c1765234435b8a194f60a22c0e17  subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm
2c9f4a74ee2c97a5c0c23aeef34ac10281ff04a6ed8c69934058309e1cc08cc8  subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm

Source:
2a4bffe27a66fd5f06362c6c8f5544558ccd38d76cda59145a6e9033d252d452  subversion-1.7.14-7.el7_1.1.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC