ESB-2017.2073 - [SUSE] subversion: Multiple vulnerabilities 2017-08-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2073
           SUSE Security Update: Security update for subversion
                              18 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           subversion
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Existing Account            
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9800 CVE-2016-8734 CVE-2016-2168
                   CVE-2016-2167 CVE-2015-5343 CVE-2015-3187
                   CVE-2015-3184 CVE-2015-0251 CVE-2015-0248
                   CVE-2015-0202 CVE-2014-8108 CVE-2014-3580

Reference:         ASB-2015.0079
                   ESB-2017.2037
                   ESB-2014.2477
                   ESB-2014.2420

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for subversion
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2200-1
Rating:             important
References:         #1011552 #1026936 #1051362 #897033 #909935 
                    #911620 #916286 #923793 #923794 #923795 #939514 
                    #939517 #942819 #958300 #969159 #976849 #976850 
                    #977424 #983938 
Cross-References:   CVE-2014-3580 CVE-2014-8108 CVE-2015-0202
                    CVE-2015-0248 CVE-2015-0251 CVE-2015-3184
                    CVE-2015-3187 CVE-2015-5343 CVE-2016-2167
                    CVE-2016-2168 CVE-2016-8734 CVE-2017-9800
                   
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Software Development Kit 12-SP2
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has 7 fixes is
   now available.

Description:

   This update for subversion fixes the following issues:


   - CVE-2017-9800: A malicious, compromised server or MITM may cause svn
     client to execute arbitrary commands by sending repository content with
     svn:externals definitions pointing to crafted svn+ssh URLs. (bsc#1051362)

   - Malicious user may commit SHA-1 collisions and cause repository
     inconsistencies (bsc#1026936)

   - CVE-2016-8734: Unrestricted XML entity expansion in mod_dontdothat and
     Subversion clients using http(s):// could lead to denial of service
     (bsc#1011552)

   - CVE-2016-2167: svnserve/sasl may authenticate users using the wrong
     realm (bsc#976849)

   - CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn
     during COPY/MOVE authorization check (bsc#976850)

   - mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (bsc#977424)

   - make the subversion package conflict with KWallet and Gnome Keyring
     packages with do not require matching subversion versions in SLE 12 and
     openSUSE Leap 42.1 and thus break the main package upon partial upgrade.
     (bsc#969159)

   - CVE-2015-5343: Remotely triggerable heap overflow and out-of-bounds read
     in mod_dav_svn caused by integer overflow when parsing skel-encoded
     request bodies. (bsc#958300)

   - Avoid recommending 180+ new pkgs for installation on minimal setup due
     subversion-password-store (bsc#942819)

   - CVE-2015-3184: mod_authz_svn: mixed anonymous/authenticated httpd (dav)
     configurations could lead to information leak (bsc#939514)

   - CVE-2015-3187: do not leak paths that were hidden by path-based authz
     (bsc#939517)

   - CVE-2015-0202: Subversion HTTP servers with FSFS repositories were
     vulnerable to a remotely triggerable excessive memory use with certain
     REPORT requests. (bsc#923793)

   - CVE-2015-0248: Subversion mod_dav_svn and svnserve were vulnerable to a
     remotely triggerable assertion DoS vulnerability for certain requests
     with dynamically evaluated revision numbers. (bsc#923794)

   - CVE-2015-0251: Subversion HTTP servers allow spoofing svn:author
     property values for new revisions (bsc#923795)

   - fix sample configuration comments in subversion.conf (bsc#916286)

   - fix sysconfig file generation (bsc#911620)

   -  CVE-2014-3580: mod_dav_svn invalid REPORT requests could lead to denial
      of service (bsc#909935)

   -  CVE-2014-8108: mod_dav_svn use of invalid transaction names could lead
      to denial of service (bsc#909935)

   - INSTALL#SQLite says 'Subversion 1.8 requires SQLite version 3.7.12 or
     above'; therefore I lowered the sqlite requirement to make the
     subversion run on
     older system versions, tooi. [bsc#897033]


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1340=1

   - SUSE Linux Enterprise Software Development Kit 12-SP2:

      zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1340=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1
      libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.19-25.3.1
      subversion-1.8.19-25.3.1
      subversion-debuginfo-1.8.19-25.3.1
      subversion-debugsource-1.8.19-25.3.1
      subversion-devel-1.8.19-25.3.1
      subversion-perl-1.8.19-25.3.1
      subversion-perl-debuginfo-1.8.19-25.3.1
      subversion-python-1.8.19-25.3.1
      subversion-python-debuginfo-1.8.19-25.3.1
      subversion-server-1.8.19-25.3.1
      subversion-server-debuginfo-1.8.19-25.3.1
      subversion-tools-1.8.19-25.3.1
      subversion-tools-debuginfo-1.8.19-25.3.1

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch):

      subversion-bash-completion-1.8.19-25.3.1

   - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

      libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1
      libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.19-25.3.1
      subversion-1.8.19-25.3.1
      subversion-debuginfo-1.8.19-25.3.1
      subversion-debugsource-1.8.19-25.3.1
      subversion-devel-1.8.19-25.3.1
      subversion-perl-1.8.19-25.3.1
      subversion-perl-debuginfo-1.8.19-25.3.1
      subversion-python-1.8.19-25.3.1
      subversion-python-debuginfo-1.8.19-25.3.1
      subversion-server-1.8.19-25.3.1
      subversion-server-debuginfo-1.8.19-25.3.1
      subversion-tools-1.8.19-25.3.1
      subversion-tools-debuginfo-1.8.19-25.3.1

   - SUSE Linux Enterprise Software Development Kit 12-SP2 (noarch):

      subversion-bash-completion-1.8.19-25.3.1


References:

   https://www.suse.com/security/cve/CVE-2014-3580.html
   https://www.suse.com/security/cve/CVE-2014-8108.html
   https://www.suse.com/security/cve/CVE-2015-0202.html
   https://www.suse.com/security/cve/CVE-2015-0248.html
   https://www.suse.com/security/cve/CVE-2015-0251.html
   https://www.suse.com/security/cve/CVE-2015-3184.html
   https://www.suse.com/security/cve/CVE-2015-3187.html
   https://www.suse.com/security/cve/CVE-2015-5343.html
   https://www.suse.com/security/cve/CVE-2016-2167.html
   https://www.suse.com/security/cve/CVE-2016-2168.html
   https://www.suse.com/security/cve/CVE-2016-8734.html
   https://www.suse.com/security/cve/CVE-2017-9800.html
   https://bugzilla.suse.com/1011552
   https://bugzilla.suse.com/1026936
   https://bugzilla.suse.com/1051362
   https://bugzilla.suse.com/897033
   https://bugzilla.suse.com/909935
   https://bugzilla.suse.com/911620
   https://bugzilla.suse.com/916286
   https://bugzilla.suse.com/923793
   https://bugzilla.suse.com/923794
   https://bugzilla.suse.com/923795
   https://bugzilla.suse.com/939514
   https://bugzilla.suse.com/939517
   https://bugzilla.suse.com/942819
   https://bugzilla.suse.com/958300
   https://bugzilla.suse.com/969159
   https://bugzilla.suse.com/976849
   https://bugzilla.suse.com/976850
   https://bugzilla.suse.com/977424
   https://bugzilla.suse.com/983938

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZZHKox+lLeg9Ub1AQi+ow//RwO9zXtZI5sNql20fXeazyAsf2gnrskw
4VAsyzX36f9GngWChK2gpiIqr4lbjVYPeaxyTCtRXmncsmCxHjHoZbYZkKmtTMav
NwcHm9PigaSFzLZVU/kkTW6FDqjTBaw6CCiOsVEW95KPSMu7R3sZcZAD2mdTlwJl
tfmLFOUF4PQhbks7ITt33u+Cz0P66z8HaGzKH2tBQxV6QR7JCtfpkiZxNygf6sko
AxKCHHAmCnL1J/uWOPrlvdrLIC58o1nb+1lWkSy7lc78VG6cxSSHTmC1yAOuvg8c
EM7v3MssqxZk0JuAPoka9ahj9WzMTEHUfksj57IdxV9RtIfsHmfnVBXUDVJFE85U
NDjPCwUs3MTfXHtgNk5KkR314jk+fF0bEdxKziIjeqg+uk9Z5XuQnihdguhCrp5e
VgO/xE5s45O7XNxbs3/lxoMox8rBfAJOqHKcWktCCQDHSkd/qkpETaqpiCeyljhP
OQnuL34/9vKEOOXDQ3EL7ZANuEaEIE39lNFmvRRdR7P0TwISmsyezyrBBvXjwtru
6j9JAYv/OM5PxJlUfBm9qlepqUoaX3IoQJBQKMoMavaH4m/i70FmD6mflUn2JwMo
V8hyqWNDPChkaSTKREVRgDAlLV6cyb7C3pCCZaOvev32HesKTf1e24vx8XRI3Ubp
5GUQeVWfWNU=
=VcKg
-----END PGP SIGNATURE-----

« Back to bulletins