Articles / Ubuntu: New Subversion pack…

Ubuntu: New Subversion packages fix security vulnerabilities

Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain baselined WebDAV resource requests. A remote attacker could use this flaw to cause the service to crash, leading to a denial of service. Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain requests. A remote attacker could use this flaw to cause the service to consume all available resources, leading to a denial of service. Kamesh Jayachandran discovered that the Subversion mod_dav_svn module for Apache did not properly handle access control in certain situations. A remote user could use this flaw to gain access to files that would otherwise be unreadable. Updated packages are available from security.ubuntu.com.

==========================================================================
Ubuntu Security Notice USN-1144-1
June 06, 2011

subversion vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

An attacker could send crafted input to the Subversion mod_dav_svn module
for Apache and cause it to crash or gain access to restricted files.

Software Description:
- subversion: Advanced version control system

Details:

Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain baselined WebDAV resource requests. A
remote attacker could use this flaw to cause the service to crash, leading
to a denial of service. (CVE-2011-1752)

Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain requests. A remote attacker could use this
flaw to cause the service to consume all available resources, leading to a
denial of service. (CVE-2011-1783)

Kamesh Jayachandran discovered that the Subversion mod_dav_svn module for
Apache did not properly handle access control in certain situations. A
remote user could use this flaw to gain access to files that would
otherwise be unreadable. (CVE-2011-1921)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
 libapache2-svn                  1.6.12dfsg-4ubuntu2.1

Ubuntu 10.10:
 libapache2-svn                  1.6.12dfsg-1ubuntu1.3

Ubuntu 10.04 LTS:
 libapache2-svn                  1.6.6dfsg-2ubuntu1.3

After a standard system update you need to restart any applications that
use Subversion, such as Apache when using mod_dav_svn, to make all the
necessary changes.

References:
 CVE-2011-1752, CVE-2011-1783, CVE-2011-1921

Package Information:
 https://launchpad.net/ubuntu/+source/subversion/1.6.12dfsg-4ubuntu2.1
 https://launchpad.net/ubuntu/+source/subversion/1.6.12dfsg-1ubuntu1.3
 https://launchpad.net/ubuntu/+source/subversion/1.6.6dfsg-2ubuntu1.3
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.