You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ben Reser <be...@reser.org> on 2004/05/19 10:20:50 UTC
Subversion 1.0.3 released. *SECURITY FIX*
Subversion 1.0.3 is ready. Grab it from:
http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
The MD5 checksums are:
1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
Subversion versions up to and including 1.0.2 have a buffer overflow in
the date parsing code.
Both client and server are vulnerable. The server is vulnerable over
both httpd/DAV and svnserve (that is, over http://, https://, svn://,
svn+ssh:// and other tunneled svn+*:// methods).
Additionally, clients with shared working copies, or permissions that
allow files in the administrative area of the working copy to be
written by other users, are potentially exploitable.
Severity:
=========
Severity ranges from "Denial of Service" to, potentially, "Arbitrary
Code Execution", depending upon how skilled the attacker is and the
ABI specifics of your platform.
The server vulnerabilities can be triggered without write/commit access
to the repository. So repositories with anonymous/public read access
are vulnerable.
Workarounds:
============
There are no workarounds except to disallow public access. Even then
you'd still be vulnerable to attack by someone who still has access
(perhaps you trust those people, though).
Recommendations:
================
We recommend all users upgrade to 1.0.3.
References:
===========
CAN-2004-0397: subversion sscanf stack overflow via revision date
in REPORT query
Note:
=====
There was a similar vulnerability in the Neon HTTP library up to and
including version 0.24.5. Because Subversion ships with Neon, we have
included (in Subversion 1.0.3) Neon 0.24.6, which is being released
simultaneously. Subversion does not actually invoke the vulnerable code
in Neon; we are updating our copy of Neon simply as a reassuring
gesture, so people don't worry. See CAN-2004-0398 for details.
Questions, comments, and bug reports to users_at_subversion.tigris.org.
Thanks,
-The Subversion Team
--------------------8-<-------cut-here---------8-<-----------------------
User-visible-changes:
* fixed: security bug in date parsing. (CAN-2004-0397)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
On Thursday 20 May 2004 12.15, Eric Carlson wrote:
> I just applied that version on W2k over the 1.0.2 version. I use
> svnserve, no apache. When asked during the install about the modules I
> unchecked the box. Started up, svn --version shows 1.0.3 now but on
> first commit I got "msvcr71.dll cannot be found"...whats this please?
Did svnserve run during the installation? If so, stop the serveice,
install again and start the service again.
You can't replace files that's in use in Windows. This is an installer
bug.
Jostein
--
http://www.josander.net/kontakt/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
On Thursday 20 May 2004 12.15, Eric Carlson wrote:
> I just applied that version on W2k over the 1.0.2 version. I use
> svnserve, no apache. When asked during the install about the modules I
> unchecked the box. Started up, svn --version shows 1.0.3 now but on
> first commit I got "msvcr71.dll cannot be found"...whats this please?
Did svnserve run during the installation? If so, stop the serveice,
install again and start the service again.
You can't replace files that's in use in Windows. This is an installer
bug.
Jostein
--
http://www.josander.net/kontakt/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Eric Carlson <er...@group-technical.com>.
I just applied that version on W2k over the 1.0.2 version. I use
svnserve, no apache. When asked during the install about the modules I
unchecked the box. Started up, svn --version shows 1.0.3 now but on
first commit I got "msvcr71.dll cannot be found"...whats this please?
On Thu, 20 May 2004 07:29:54 +0200, you wrote:
>On Wednesday 19 May 2004 12.20, Ben Reser wrote:
>> Subversion 1.0.3 is ready. Grab it from:
>>
>> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
>> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The Windows Installer made from */svn-win32-1.0.3.zip is here:
>
> http://subversion.tigris.org/files/documents/15/13448/svn-1.0.3-setup.exe
>
>Jostein
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
On Wednesday 19 May 2004 12.20, Ben Reser wrote:
> Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
The Windows Installer made from */svn-win32-1.0.3.zip is here:
http://subversion.tigris.org/files/documents/15/13448/svn-1.0.3-setup.exe
Jostein
--
http://www.josander.net/en/contact/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Branko Čibej <br...@xbc.nu>.
The Win32 binaries are now available:
http://subversion.tigris.org/files/documents/15/13441/svn-win32-1.0.3.zip
http://subversion.tigris.org/files/documents/15/13437/svn-win32-1.0.3_dev.zip
http://subversion.tigris.org/files/documents/15/13438/svn-win32-1.0.3_pdb.zip
http://subversion.tigris.org/files/documents/15/13439/svn-win32-1.0.3_py.zip
The MD5 checksums are:
e7c0ab925a7f2e4711ab15f2ad214e6c *svn-win32-1.0.3.zip
2a2e41f91c259744f2a67731749eecd4 *svn-win32-1.0.3_dev.zip
be8e075fd68ee20ba8bb390cd824df82 *svn-win32-1.0.3_pdb.zip
8041994dce562d1bd1bc85d6d2e74e3e *svn-win32-1.0.3_py.zip
-- Brane
Ben Reser wrote:
>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Patrick Mayweg <ma...@qint.de>.
The last version version of the javahl binding were build with an old
neon version. Therefore I made a new release, which can be downloaded from:
http://subversion.tigris.org/files/documents/15/13435/svn-win32-1.0.3_javahl_1.zip
The MD5 checksum is:
4972d495df512a4c21fb4438e89a7c2a
Sorry for any inconvinience my error caused.
Patrick
Patrick Mayweg wrote:
> The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:
>
>
> http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip
>
>
> The MD5 checksum is:
>
> 3fdc12912ed891901f8014927ee0a465
>
> Patrick
>
> Ben Reser wrote:
>
>> Subversion 1.0.3 is ready. Grab it from:
>>
>> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
>>
>> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>>
>> The MD5 checksums are:
>>
>> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
>> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>>
>>
>> Subversion versions up to and including 1.0.2 have a buffer overflow in
>> the date parsing code.
>>
>> Both client and server are vulnerable. The server is vulnerable over
>> both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>> svn+ssh:// and other tunneled svn+*:// methods).
>>
>> Additionally, clients with shared working copies, or permissions that
>> allow files in the administrative area of the working copy to be
>> written by other users, are potentially exploitable.
>>
>> Severity:
>> =========
>>
>> Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>> Code Execution", depending upon how skilled the attacker is and the
>> ABI specifics of your platform.
>>
>> The server vulnerabilities can be triggered without write/commit access
>> to the repository. So repositories with anonymous/public read access
>> are vulnerable.
>>
>> Workarounds:
>> ============
>>
>> There are no workarounds except to disallow public access. Even then
>> you'd still be vulnerable to attack by someone who still has access
>> (perhaps you trust those people, though).
>>
>> Recommendations:
>> ================
>>
>> We recommend all users upgrade to 1.0.3.
>>
>> References:
>> ===========
>>
>> CAN-2004-0397: subversion sscanf stack overflow via revision date
>> in REPORT query
>>
>> Note:
>> =====
>>
>> There was a similar vulnerability in the Neon HTTP library up to and
>> including version 0.24.5. Because Subversion ships with Neon, we have
>> included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>> simultaneously. Subversion does not actually invoke the vulnerable code
>> in Neon; we are updating our copy of Neon simply as a reassuring
>> gesture, so people don't worry. See CAN-2004-0398 for details.
>>
>> Questions, comments, and bug reports to users_at_subversion.tigris.org.
>>
>> Thanks,
>> -The Subversion Team
>> --------------------8-<-------cut-here---------8-<-----------------------
>>
>>
>> User-visible-changes:
>> * fixed: security bug in date parsing. (CAN-2004-0397)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Patrick Mayweg <ma...@qint.de>.
The last version version of the javahl binding were build with an old
neon version. Therefore I made a new release, which can be downloaded from:
http://subversion.tigris.org/files/documents/15/13435/svn-win32-1.0.3_javahl_1.zip
The MD5 checksum is:
4972d495df512a4c21fb4438e89a7c2a
Sorry for any inconvinience my error caused.
Patrick
Patrick Mayweg wrote:
> The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:
>
>
> http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip
>
>
> The MD5 checksum is:
>
> 3fdc12912ed891901f8014927ee0a465
>
> Patrick
>
> Ben Reser wrote:
>
>> Subversion 1.0.3 is ready. Grab it from:
>>
>> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
>>
>> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>>
>> The MD5 checksums are:
>>
>> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
>> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>>
>>
>> Subversion versions up to and including 1.0.2 have a buffer overflow in
>> the date parsing code.
>>
>> Both client and server are vulnerable. The server is vulnerable over
>> both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>> svn+ssh:// and other tunneled svn+*:// methods).
>>
>> Additionally, clients with shared working copies, or permissions that
>> allow files in the administrative area of the working copy to be
>> written by other users, are potentially exploitable.
>>
>> Severity:
>> =========
>>
>> Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>> Code Execution", depending upon how skilled the attacker is and the
>> ABI specifics of your platform.
>>
>> The server vulnerabilities can be triggered without write/commit access
>> to the repository. So repositories with anonymous/public read access
>> are vulnerable.
>>
>> Workarounds:
>> ============
>>
>> There are no workarounds except to disallow public access. Even then
>> you'd still be vulnerable to attack by someone who still has access
>> (perhaps you trust those people, though).
>>
>> Recommendations:
>> ================
>>
>> We recommend all users upgrade to 1.0.3.
>>
>> References:
>> ===========
>>
>> CAN-2004-0397: subversion sscanf stack overflow via revision date
>> in REPORT query
>>
>> Note:
>> =====
>>
>> There was a similar vulnerability in the Neon HTTP library up to and
>> including version 0.24.5. Because Subversion ships with Neon, we have
>> included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>> simultaneously. Subversion does not actually invoke the vulnerable code
>> in Neon; we are updating our copy of Neon simply as a reassuring
>> gesture, so people don't worry. See CAN-2004-0398 for details.
>>
>> Questions, comments, and bug reports to users_at_subversion.tigris.org.
>>
>> Thanks,
>> -The Subversion Team
>> --------------------8-<-------cut-here---------8-<-----------------------
>>
>>
>> User-visible-changes:
>> * fixed: security bug in date parsing. (CAN-2004-0397)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Patrick Mayweg <ma...@qint.de>.
The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:
http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip
The MD5 checksum is:
3fdc12912ed891901f8014927ee0a465
Patrick
Ben Reser wrote:
>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Branko Čibej <br...@xbc.nu>.
The Win32 binaries are now available:
http://subversion.tigris.org/files/documents/15/13441/svn-win32-1.0.3.zip
http://subversion.tigris.org/files/documents/15/13437/svn-win32-1.0.3_dev.zip
http://subversion.tigris.org/files/documents/15/13438/svn-win32-1.0.3_pdb.zip
http://subversion.tigris.org/files/documents/15/13439/svn-win32-1.0.3_py.zip
The MD5 checksums are:
e7c0ab925a7f2e4711ab15f2ad214e6c *svn-win32-1.0.3.zip
2a2e41f91c259744f2a67731749eecd4 *svn-win32-1.0.3_dev.zip
be8e075fd68ee20ba8bb390cd824df82 *svn-win32-1.0.3_pdb.zip
8041994dce562d1bd1bc85d6d2e74e3e *svn-win32-1.0.3_py.zip
-- Brane
Ben Reser wrote:
>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
On Wednesday 19 May 2004 12.20, Ben Reser wrote:
> Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
The Windows Installer made from */svn-win32-1.0.3.zip is here:
http://subversion.tigris.org/files/documents/15/13448/svn-1.0.3-setup.exe
Jostein
--
http://www.josander.net/en/contact/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by kf...@collab.net.
Ben Reser deserves a huge thank you here.
It's not obvious from the announcement, but a lot of behind-the-scenes
work went into analyzing this vulnerability, coordinating with various
security lists, pre-notifying major sites running Subversion, etc.
The 1.0.3 release is just the tip of a very large iceberg. Ben
cheerfully took on a ton of unexpected work in doing this.
If you see this guy in your town, please buy him a beer!
-Karl
Ben Reser <be...@reser.org> writes:
> Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
> The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
> Subversion versions up to and including 1.0.2 have a buffer overflow in
> the date parsing code.
>
> Both client and server are vulnerable. The server is vulnerable over
> both httpd/DAV and svnserve (that is, over http://, https://, svn://,
> svn+ssh:// and other tunneled svn+*:// methods).
>
> Additionally, clients with shared working copies, or permissions that
> allow files in the administrative area of the working copy to be
> written by other users, are potentially exploitable.
>
> Severity:
> =========
>
> Severity ranges from "Denial of Service" to, potentially, "Arbitrary
> Code Execution", depending upon how skilled the attacker is and the
> ABI specifics of your platform.
>
> The server vulnerabilities can be triggered without write/commit access
> to the repository. So repositories with anonymous/public read access
> are vulnerable.
>
> Workarounds:
> ============
>
> There are no workarounds except to disallow public access. Even then
> you'd still be vulnerable to attack by someone who still has access
> (perhaps you trust those people, though).
>
> Recommendations:
> ================
>
> We recommend all users upgrade to 1.0.3.
>
> References:
> ===========
>
> CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
> Note:
> =====
>
> There was a similar vulnerability in the Neon HTTP library up to and
> including version 0.24.5. Because Subversion ships with Neon, we have
> included (in Subversion 1.0.3) Neon 0.24.6, which is being released
> simultaneously. Subversion does not actually invoke the vulnerable code
> in Neon; we are updating our copy of Neon simply as a reassuring
> gesture, so people don't worry. See CAN-2004-0398 for details.
>
> Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
> Thanks,
> -The Subversion Team
>
> --------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.3 released. *SECURITY FIX*
Posted by Patrick Mayweg <ma...@qint.de>.
The javahl binding for Subversion 1.0.3 on Win32 is ready. Grab it from:
http://subversion.tigris.org/files/documents/15/13434/svn-win32-1.0.3_javahl.zip
The MD5 checksum is:
3fdc12912ed891901f8014927ee0a465
Patrick
Ben Reser wrote:
>Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
>The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
>Subversion versions up to and including 1.0.2 have a buffer overflow in
>the date parsing code.
>
>Both client and server are vulnerable. The server is vulnerable over
>both httpd/DAV and svnserve (that is, over http://, https://, svn://,
>svn+ssh:// and other tunneled svn+*:// methods).
>
>Additionally, clients with shared working copies, or permissions that
>allow files in the administrative area of the working copy to be
>written by other users, are potentially exploitable.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>The server vulnerabilities can be triggered without write/commit access
>to the repository. So repositories with anonymous/public read access
>are vulnerable.
>
>Workarounds:
>============
>
>There are no workarounds except to disallow public access. Even then
>you'd still be vulnerable to attack by someone who still has access
>(perhaps you trust those people, though).
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.3.
>
>References:
>===========
>
>CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
>Note:
>=====
>
>There was a similar vulnerability in the Neon HTTP library up to and
>including version 0.24.5. Because Subversion ships with Neon, we have
>included (in Subversion 1.0.3) Neon 0.24.6, which is being released
>simultaneously. Subversion does not actually invoke the vulnerable code
>in Neon; we are updating our copy of Neon simply as a reassuring
>gesture, so people don't worry. See CAN-2004-0398 for details.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org