Security update for subversion
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2015:2363-1
Final
1
1
2015-12-25T12:58:33Z
current
2015-12-25T12:58:33Z
2015-12-25T12:58:33Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for subversion
This update fixes the following security issues:
* CVE-2015-5343: Possible remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. (bsc#958300)
* CVE-2015-3184: mod_authz_svn information leak information in mixed anonymous/authenticated httpd (dav) configurations (bsc#939514)
* CVE-2015-3187: hidden paths leaked by path-based authz (bsc#939517)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2015-12/msg00111.html
E-Mail link for openSUSE-SU-2015:2363-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.1
libsvn_auth_gnome_keyring-1-0-1.8.10-6.1
libsvn_auth_kwallet-1-0-1.8.10-6.1
subversion-1.8.10-6.1
subversion-bash-completion-1.8.10-6.1
subversion-devel-1.8.10-6.1
subversion-perl-1.8.10-6.1
subversion-python-1.8.10-6.1
subversion-ruby-1.8.10-6.1
subversion-server-1.8.10-6.1
subversion-tools-1.8.10-6.1
libsvn_auth_gnome_keyring-1-0-1.8.10-6.1 as a component of openSUSE Leap 42.1
libsvn_auth_kwallet-1-0-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-bash-completion-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-devel-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-perl-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-python-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-ruby-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-server-1.8.10-6.1 as a component of openSUSE Leap 42.1
subversion-tools-1.8.10-6.1 as a component of openSUSE Leap 42.1
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
CVE-2015-3184
openSUSE Leap 42.1:libsvn_auth_gnome_keyring-1-0-1.8.10-6.1
openSUSE Leap 42.1:libsvn_auth_kwallet-1-0-1.8.10-6.1
openSUSE Leap 42.1:subversion-1.8.10-6.1
openSUSE Leap 42.1:subversion-bash-completion-1.8.10-6.1
openSUSE Leap 42.1:subversion-devel-1.8.10-6.1
openSUSE Leap 42.1:subversion-perl-1.8.10-6.1
openSUSE Leap 42.1:subversion-python-1.8.10-6.1
openSUSE Leap 42.1:subversion-ruby-1.8.10-6.1
openSUSE Leap 42.1:subversion-server-1.8.10-6.1
openSUSE Leap 42.1:subversion-tools-1.8.10-6.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-12/msg00111.html
https://www.suse.com/security/cve/CVE-2015-3184.html
CVE-2015-3184
https://bugzilla.suse.com/938723
SUSE Bug 938723
https://bugzilla.suse.com/939514
SUSE Bug 939514
https://bugzilla.suse.com/939516
SUSE Bug 939516
The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.
CVE-2015-3187
openSUSE Leap 42.1:libsvn_auth_gnome_keyring-1-0-1.8.10-6.1
openSUSE Leap 42.1:libsvn_auth_kwallet-1-0-1.8.10-6.1
openSUSE Leap 42.1:subversion-1.8.10-6.1
openSUSE Leap 42.1:subversion-bash-completion-1.8.10-6.1
openSUSE Leap 42.1:subversion-devel-1.8.10-6.1
openSUSE Leap 42.1:subversion-perl-1.8.10-6.1
openSUSE Leap 42.1:subversion-python-1.8.10-6.1
openSUSE Leap 42.1:subversion-ruby-1.8.10-6.1
openSUSE Leap 42.1:subversion-server-1.8.10-6.1
openSUSE Leap 42.1:subversion-tools-1.8.10-6.1
low
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-12/msg00111.html
https://www.suse.com/security/cve/CVE-2015-3187.html
CVE-2015-3187
https://bugzilla.suse.com/939517
SUSE Bug 939517
Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.
CVE-2015-5343
openSUSE Leap 42.1:libsvn_auth_gnome_keyring-1-0-1.8.10-6.1
openSUSE Leap 42.1:libsvn_auth_kwallet-1-0-1.8.10-6.1
openSUSE Leap 42.1:subversion-1.8.10-6.1
openSUSE Leap 42.1:subversion-bash-completion-1.8.10-6.1
openSUSE Leap 42.1:subversion-devel-1.8.10-6.1
openSUSE Leap 42.1:subversion-perl-1.8.10-6.1
openSUSE Leap 42.1:subversion-python-1.8.10-6.1
openSUSE Leap 42.1:subversion-ruby-1.8.10-6.1
openSUSE Leap 42.1:subversion-server-1.8.10-6.1
openSUSE Leap 42.1:subversion-tools-1.8.10-6.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-12/msg00111.html
https://www.suse.com/security/cve/CVE-2015-5343.html
CVE-2015-5343
https://bugzilla.suse.com/958300
SUSE Bug 958300