You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@subversion.apache.org by Ben Reser <br...@apache.org> on 2013/07/12 00:11:45 UTC
Importance of Apache HTTP 2.2.25 Release to Subversion Admins
As you may have seen on our announce mailing list yesterday, the
Apache HTTP Server Project released 2.2.25 yesterday.
This release includes a security fix that is important for Subversion
sites using mod_dav_svn to host their repositories. Specifically it
includes a fix for the following DoS issue:
* SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request body
as XML) pointing to a URI that is not configured for DAV will
trigger a segfault.
Exploiting this vulnerability does require write access to the
repository, so it is a relatively low risk issue.
There are no known workarounds available, so the only way to resolve
this issue is to upgrade or patch the Apache HTTP server. Also note
that at this time there is no Apache HTTP 2.4.x release that includes
this fix. We anticipate that the HTTP project will release 2.4.5 soon
which we expect to include the fix for those using HTTP 2.4.x.
You can download the Apache HTTP 2.2.25 release from:
http://httpd.apache.org/download.cgi