You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@subversion.apache.org by Hyrum Wright <hw...@apache.org> on 2011/05/14 13:30:20 UTC

Vulnerability in APR: CVE-2011-0419

To interested persons:

Apache Subversion uses the Apache Portable Runtime (APR) to provide
platform-specific and other utility services.  APR announced the
availability of APR 1.4.4, which addresses CVE-2011-0419, a potential
unconstrained recursion bug in the apr_fnmatch().  An attacker could
potentially exploit this issue to cause the target machine to exhaust
stack memory or use excessive CPU.  Prior to Subversion 1.6.16,
Subversion used the compromised function on untrusted data in
mod_dav_svn, exposing it to this flaw.

In Subversion 1.6.16, mod_dav_svn was changed to avoid the use of
apr_fnmatch(), eliminating this attack vector for Subversion.  Thus,
Subversion systems are only vulnerable if they are running *both* APR
< 1.4.4 and Subversion < 1.6.16.  It is recommended that users upgrade
one or both of these components as soon as is convenient.

To read more about the APR 1.4.4 release, see
http://www.apache.org/dist/apr/Announcement1.x.html

- The Subversion Team