Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Subversion
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Subversion
ID: MDVSA-2015:085
Distribution: Mandriva
Plattformen: Mandriva Business Server 2.0
Datum: Sa, 28. März 2015, 11:01
Referenzen: http://advisories.mageia.org/MGASA-2014-0105.html
http://advisories.mageia.org/MGASA-2014-0339.html
http://advisories.mageia.org/MGASA-2014-0545.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528

Originalnachricht

This is a multi-part message in MIME format...

------------=_1427533048-3111-7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:085
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : subversion
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated subversion packages fix security vulnerabilities:

The mod_dav_svn module in Apache Subversion before 1.8.8, when
SVNListParentPath is enabled, allows remote attackers to cause a
denial of service (crash) via an OPTIONS request (CVE-2014-0032).

Ben Reser discovered that Subversion did not correctly validate SSL
certificates containing wildcards. A remote attacker could exploit this
to perform a man in the middle attack to view sensitive information
or alter encrypted communications (CVE-2014-3522).

Bert Huijben discovered that Subversion did not properly handle
cached credentials. A malicious server could possibly use this issue
to obtain credentials cached for a different server (CVE-2014-3528).

A NULL pointer dereference flaw was found in the way mod_dav_svn
handled REPORT requests. A remote, unauthenticated attacker could
use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580).

A NULL pointer dereference flaw was found in the way mod_dav_svn
handled URIs for virtual transaction names. A remote, unauthenticated
attacker could send a request for a virtual transaction name that
does not exist, causing mod_dav_svn to crash (CVE-2014-8108).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528
http://advisories.mageia.org/MGASA-2014-0105.html
http://advisories.mageia.org/MGASA-2014-0339.html
http://advisories.mageia.org/MGASA-2014-0545.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
3c1e67f77228815883b105a8e62a10e0
mbs2/x86_64/apache-mod_dav_svn-1.8.11-1.mbs2.x86_64.rpm
35c5f1efb679c09bc48d917b94954713
mbs2/x86_64/lib64svn0-1.8.11-1.mbs2.x86_64.rpm
56722eb7ac7b08654d795a5981ebd210
mbs2/x86_64/lib64svnjavahl1-1.8.11-1.mbs2.x86_64.rpm
e1479d1c61864767d56a147bb4ee9b7f
mbs2/x86_64/perl-SVN-1.8.11-1.mbs2.x86_64.rpm
7c4d79f31b0559c22cc84f39a06f9da0
mbs2/x86_64/perl-svn-devel-1.8.11-1.mbs2.x86_64.rpm
14720ab01668a9d04b566d5102c09f68
mbs2/x86_64/python-svn-1.8.11-1.mbs2.x86_64.rpm
07db3a7142457efc1e0547fd40bbf03f
mbs2/x86_64/python-svn-devel-1.8.11-1.mbs2.x86_64.rpm
8d0511abbed2c57f505183bf00c4ab0d
mbs2/x86_64/ruby-svn-1.8.11-1.mbs2.x86_64.rpm
8d062f6dd429b87f2b1d432c92e9a84a
mbs2/x86_64/ruby-svn-devel-1.8.11-1.mbs2.x86_64.rpm
31e14a18991a2383065a069d53d3cd4e
mbs2/x86_64/subversion-1.8.11-1.mbs2.x86_64.rpm
1ce1c374c428409e8a6380d64b8706f8
mbs2/x86_64/subversion-devel-1.8.11-1.mbs2.x86_64.rpm
052411de41e785decc0bc130e2756eff
mbs2/x86_64/subversion-doc-1.8.11-1.mbs2.x86_64.rpm
98c1473e3721e4c9a6996db448c6ff36
mbs2/x86_64/subversion-server-1.8.11-1.mbs2.x86_64.rpm
6ad3881116530af4d889bb6c142d70dc
mbs2/x86_64/subversion-tools-1.8.11-1.mbs2.x86_64.rpm
3fb0c871a5771c8fe4c6475b5ac0406c
mbs2/x86_64/svn-javahl-1.8.11-1.mbs2.x86_64.rpm
45e0624a89e4c79d4739cd4eb22d9a29 mbs2/SRPMS/subversion-1.8.11-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFl6JmqjQ0CJFipgRAgkVAJ4xKUzteqhyYcBC4AuYoZ7Lv3oQZQCfROhl
NaJSaZq4W6qIMwD8fhQF5Ls=
=R/mF
-----END PGP SIGNATURE-----


------------=_1427533048-3111-7
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________


------------=_1427533048-3111-7--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung