ESB-2017.2015 - [Win][UNIX/Linux] subversion: Execute arbitrary code/commands - Remote with user interaction 2017-08-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2015
               [ANNOUNCE] Apache Subversion 1.8.19 released
                              14 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           subversion
Publisher:         Apache
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9800  

Reference:         ESB-2017.1985

Original Bulletin: 
   http://subversion.apache.org/download.cgi?update=201708081800

- --------------------------BEGIN INCLUDED TEXT--------------------

I'm happy to announce the release of Apache Subversion 1.9.7.
Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download.cgi?update=201708081800#recommended-release

This is a stable security release of the Apache Subversion open source
version control system.  It fixes one security issue:

    CVE-2017-9800:
    Arbitrary code execution on clients through malicious svn+ssh URLs in
    svn:externals and svn:sync-from-url
    http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

The SHA1 checksums are:

    874b81749cdc3e88152d103243c3623ac6338388 subversion-1.9.7.tar.bz2
    1a5f48acf9d0faa60e8c7aea96a9b29ab1d4dcac subversion-1.9.7.tar.gz
    741727b62596bf27f75838c46d1bb6938c83fbd7 subversion-1.9.7.zip

SHA-512 checksums are available at:

    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.zip.sha512

PGP Signatures are available at:

    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.zip.asc

For this release, the following people have provided PGP signatures:

   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint:
    E7B2 A7F4 EC28 BE9F F8B3  8BA4 B64F FF12 09F9 FA74
   Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint:
    7B8C A7F6 451A D89C 8ADC  077B 376A 3CFD 110B 1C95
   Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint:
    E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
   Philip Martin [2048R/76D788E1ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C

Release notes for the 1.9.x release series may be found at:

    http://subversion.apache.org/docs/release-notes/1.9.html

You can find the list of changes between 1.9.7 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- - The Subversion Team

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZEJK4x+lLeg9Ub1AQhnyA/+KBVZfQ6LxiqQHNp+pWfBgHZlgbc4eKx9
XbmQdCkLLtAvgfSBOFA63Awmpq0OuH2Di5vzZBfl18StKf6d3eCEfz/oCHvZGLff
bNfcvA5B299UKeLzM+rn+ixwDirir1vLyAhVnBII9wgTSOqE3dHk4jcA+uB5DQz8
2Ob3bM10eZ6pOICAUxa/vQXRrVDnX3EmcDAupJ6Yui5yJFzNHf3RoQx3PU9JxqsR
UUpj4FALbQ95/Ff9jjVTvz7SvA4kbN0yX9mBWrYECgJUEcEbplSuXRE/Q4IQ8hpK
0PAdv2+x/iosMOWN3Eezu9eFQlHUpQ7VBXuCfOpdD6EIXmkzXONFPFoQ95b3hmQS
dgqbuGi9AnVBptIsL3u31A2eGSs5e7GRlZErEsZMLt8oGmes2PFE5P0odTNJivcy
E/JkFYDVjXQkxMwGyX+vCg0yuu8eJsxAMM56GayHLljX+rTTzHXOGzjfa64DcI4G
qhSRuMOel7E9ysd+uDizDIo1eDh1dhIr3C1Pk1P//ddDs0yhilRZzSGZToaZrvs9
UL7TcpQo6MnQPViJQCW01CJudmjYFJHMr1EW0cumrTVG1g4y7/q33ApgLGx+xeCn
psTO1i+Hc5WjraIXljK0zCYCfsPWc7M/07deKpstvu3SpHUrqvA3N5oRn2WX7XeB
TLHouwVhSSc=
=VGym
-----END PGP SIGNATURE-----

« Back to bulletins