Note from Vibin Bruno to your Facebook Page Subversion.

[Vibin Bruno <vb...@gmail.com>]

Hi Team,

Our security team has raised below vulnerabilities in SVN.

1. Concurrent login allowed in SVN console - same user can login to the
console same time using two machines.

2.
Brute Force attack - user should be locked after 3 incorrect login attempts.

Kindly help us in resolving the above vulnerabilities.

Regards,
Micheal
8655557405

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Chris Carman <na...@gmail.com>]

Kindly stop spamming this list.

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Nico Kadel-Garcia <nk...@gmail.com>]

On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <vb...@gmail.com> wrote:
>
> Kindly help in resolving the below vulnerabilities
>
> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vb...@gmail.com> wrote:
>>
>> Hi Team,
>>
>> Our security team has raised below vulnerabilities in SVN.
>>
>> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

This is not a vulnerability. It's a feature. Sessions using SSH keys
or credentials may be automated for continuous integration systems to
simultaneously permit dozens or hundreds of simultaneous sessions.
It's not a Subversion problem per se, it's built into the transport
mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or
the httpd daemon for mod_svn access. It's not built for
single-threaded operation, though I suppose with httpd you could set
it up that way.

>> 2.
>> Brute Force attack - user should be locked after 3 incorrect login attempts.

That's a back end authentication, typically built into the Kerberos
based authentication of tools like Active Directory or other LDAP and
Kerberos systems, not a Subversion issue which httpd and svnserve and
SSH access can use. I suggest that you find whoever is telling you to
resolve these issues and enroll them in some courses on how password
based authentication normally works.

>> Kindly help us in resolving the above vulnerabilities.

These are not Subversion issues. They are authentication back end
issues, most of them easily configured for a desired policy. Who is
calling these "vulnerabilities"? It's like saying that having a window
that opens is a vulnerability, it's how the systems normally work.

Nico Kadel-Garcia

>>
>> Regards,
>> Micheal
>> 8655557405

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Ryan Schmidt <su...@ryandesign.com>]

On Sep 22, 2020, at 14:22, Vibin Bruno <vb...@gmail.com> wrote:
> 
> Kindly help in resolving the below vulnerabilities

You may need to take a different approach when communicating with this list. We are a community of volunteers, users who use Subversion. We can try to help guide you toward solutions but we are not obligated to deliver answers on demand.


> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vb...@gmail.com> wrote:
> Hi Team,
> 
> Our security team has raised below vulnerabilities in SVN.
> 
> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

Subversion does not have a console. Subversion consists of client programs and libraries, and server programs and modules. If your server is set up to require authentication, then each time you issue a command (checkout, update, commit, etc.) your credentials are sent to the server and verified. There is no persistent connection or login, so there is no such thing as logging in from multiple machines at the same time. Certainly a user can issue one command from one machine, and a moment later the user can issue another command from either the same machine or a different machine. The server does not care where the connections come from as long as the user credentials are verified.


> 2.
> Brute Force attack - user should be locked after 3 incorrect login attempts.


There are several different ways that you can serve your repository (apache mod_dav_svn module, svnserve standalone, svnserve over ssh) and many different ways that authentication can be implemented. Some of the serving methods may give you a way to implement this, but it would be outside my area of expertise.

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Paul Greene <pa...@gmail.com>]

I'm going to guess that you do certification and accreditation, and
somebody evaluating your system presented you with a list of findings that
have to be addressed.
Typically with a commercial vendor, you can communicate with a technical
support team (that you pay a lot of money to every year to get that
support) that can help you address the findings.
However, SVN is not a commercial product - it is an open source product -
the product is developed by unpaid volunteers. This mailing list is made up
of people that are fellow users of the product who don't get paid for
participating in this list.
You can't really demand that anybody do anything for you.

On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <vb...@gmail.com> wrote:

> Kindly help in resolving the below vulnerabilities
>
> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vb...@gmail.com> wrote:
>
>> Hi Team,
>>
>> Our security team has raised below vulnerabilities in SVN.
>>
>> 1. Concurrent login allowed in SVN console - same user can login to the
>> console same time using two machines.
>>
>> 2.
>> Brute Force attack - user should be locked after 3 incorrect login
>> attempts.
>>
>> Kindly help us in resolving the above vulnerabilities.
>>
>> Regards,
>> Micheal
>> 8655557405
>>
>

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Vibin Bruno <vb...@gmail.com>]

Kindly help in resolving the below vulnerabilities

On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vb...@gmail.com> wrote:

> Hi Team,
>
> Our security team has raised below vulnerabilities in SVN.
>
> 1. Concurrent login allowed in SVN console - same user can login to the
> console same time using two machines.
>
> 2.
> Brute Force attack - user should be locked after 3 incorrect login
> attempts.
>
> Kindly help us in resolving the above vulnerabilities.
>
> Regards,
> Micheal
> 8655557405
>

Re: Note from Vibin Bruno to your Facebook Page Subversion.

[Mark Phippard <ma...@gmail.com>]

On Sun, Sep 20, 2020 at 4:44 PM Vibin Bruno <vb...@gmail.com> wrote:

> Hi Team,
>
> Our security team has raised below vulnerabilities in SVN.
>
> 1. Concurrent login allowed in SVN console - same user can login to the
> console same time using two machines.
>
> 2. Brute Force attack - user should be locked after 3 incorrect login
> attempts.
>
> Kindly help us in resolving the above vulnerabilities.
>


This is not the correct list to report these "problems".

SVN does not have a web user interface or console, so you are likely using
some other SVN management product and need to report this there. That said,
I would say both of these are more opinion and taste than vulnerabilities.
I manage a SVN related product called SVN Edge and I would not consider
"fixing" either of these issues if that is the product you are using. The
first one is just straight up not a problem and I would never entertain it
as one.   The second one is somewhat a problem though "3" is an arbitrary
number and there are a lot of ways to deal with brute force login attempts.
For example, SVN Edge throttles the login attempts making it impractical to
brute force attack a password.

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/