var-201508-0172
Vulnerability from variot
The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. Apache Subversion is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Apache Subversion 1.8.0 through 1.8.13 and 1.7.0 through 1.7.20 are vulnerable. The system is compatible with the Concurrent Versions System (CVS). ============================================================================ Ubuntu Security Notice USN-2721-1 August 20, 2015
subversion vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Subversion.
Software Description: - subversion: Advanced version control system
Details:
It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3580)
It was discovered that the Subversion mod_dav_svn module incorrectly handled requests requiring a lookup for a virtual transaction name that does not exist. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8108)
Evgeny Kotkov discovered that the Subversion mod_dav_svn module incorrectly handled large numbers of REPORT requests. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202)
Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve modules incorrectly certain crafted parameter combinations. (CVE-2015-0248)
Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly handled crafted v1 HTTP protocol request sequences. (CVE-2015-0251)
C. A remote attacker could use this issue to read hidden files via the path name. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184)
C. Michael Pilato discovered that Subversion incorrectly handled path-based authorization. (CVE-2015-3187)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.04: libapache2-svn 1.8.10-5ubuntu1.1 libsvn1 1.8.10-5ubuntu1.1 subversion 1.8.10-5ubuntu1.1
Ubuntu 14.04 LTS: libapache2-svn 1.8.8-1ubuntu3.2 libsvn1 1.8.8-1ubuntu3.2 subversion 1.8.8-1ubuntu3.2
Ubuntu 12.04 LTS: libapache2-svn 1.6.17dfsg-3ubuntu3.5 libsvn1 1.6.17dfsg-3ubuntu3.5 subversion 1.6.17dfsg-3ubuntu3.5
In general, a standard system update will make all the necessary changes. 6) - i386, noarch, x86_64
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
APPLE-SA-2016-03-21-4 Xcode 7.3
Xcode 7.3 is now available and addresses the following:
otool Available for: OS X El Capitan v10.11 and later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1765 : Proteas of Qihoo 360 Nirvan Team and Will Estes (@squiffy)
subversion Available for: OS X El Capitan v10.11 and later Impact: A malicious server may be able to execute arbitrary code Description: Multiple vulnerabilities existed in subversion versions prior to 1.7.21, the most serious of which may have led to remote code execution. These were addressed by updating subversion to version 1.7.22. Michael Pilato, CollabNet
Xcode 7.0 may be obtained from: https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
- Select Xcode in the menu bar
- Select About Xcode
- The version after applying this update will be "7.3".
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJW8JQAAAoJEBcWfLTuOo7tO6gQAJAW+kXp0TuFMDT6xHo2YVIq OiRdtYYsaQ0vLXHhDFQP+8uXPSz6KnunxKYZhA3JsSIjXZcv+O0Vw9hP/5A3/nj8 vXYCFmVW9m7rse4k7m117PYdPuKuWtAvDU19b7B2/vPsrv1R6C5R+jZj7hi9Vp2T 4Vx4oLeXCAhzpuDNfvtnyI756b8j63si2eSMSIPp+smQl4RKWtEJEAX5yHkDpeyl cuCHiEbwx4+UomEp5jpOPGjcmohjpTrbBJE8hH/k6W85bBj+rhBPJoBAYafW7nHt 6uokIgZtU59ZEAwC8hme0vzApINfslV1fiJk1HN/rP6Cp+ptdIZGL8zydmzIh7yq gEnfcEEhD2TTkJYnt22l42ZtCDsGJkFBF/r77EHmYWUJfmR4a4Jismp4sGGPgZ12 OitRfBzojK1+Ah6tkYV2LKIfjstprBTRZdz0XKQtjgAwfgktAalrWiibZs2zBNF5 UfZKAsM3Qc9RBK5pNQpGMlrHQtnFdD74Df4TYRlSuKZRO5DLr0STDeHXQfn4Ti/9 8+ZifqggFuWBfh5es4EFdcpxRRqWI9OKOdgQ0Oc5tXwIyAlOshxNuP3qAgVQzwwd COicsW/1HsUoaopDuf+bzDcJPL/L9H3SRYfg4S/uv5JOjoaPr0pQC8mUfR25dZAw cU0NiqyyiqU1H29UaU50 =9aiD -----END PGP SIGNATURE----- .
Gentoo Linux Security Advisory GLSA 201610-05
https://security.gentoo.org/
Severity: Normal Title: Subversion, Serf: Multiple Vulnerabilities Date: October 11, 2016 Bugs: #500482, #518716, #519202, #545348, #556076, #567810, #581448, #586046 ID: 201610-05
Synopsis
Multiple vulnerabilities have been found in Subversion and Serf, the worst of which could lead to execution of arbitrary code.
Background
Subversion is a version control system intended to eventually replace CVS. Like CVS, it has an optional client-server architecture (where the server can be an Apache server running mod_svn, or an ssh program as in CVS's :ext: method). In addition to supporting the features found in CVS, Subversion also provides support for moving and copying files and directories.
The serf library is a high performance C-based HTTP client library built upon the Apache Portable Runtime (APR) library.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.9.4 >= 1.9.4 *> 1.8.16 2 net-libs/serf < 1.3.7 >= 1.3.7 ------------------------------------------------------------------- 2 affected packages
Description
Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details
Impact
A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition.
Workaround
There is no known workaround at this time.
Resolution
All Subversion users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.9.4"
All Serf users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/serf-1.3.7"
References
[ 1 ] CVE-2014-0032 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0032 [ 2 ] CVE-2014-3504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3504 [ 3 ] CVE-2014-3522 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3522 [ 4 ] CVE-2014-3528 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3528 [ 5 ] CVE-2015-0202 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0202 [ 6 ] CVE-2015-0248 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0248 [ 7 ] CVE-2015-0251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0251 [ 8 ] CVE-2015-3184 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3184 [ 9 ] CVE-2015-3187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3187 [ 10 ] CVE-2015-5259 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5259 [ 11 ] CVE-2016-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2167 [ 12 ] CVE-2016-2168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2168
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201610-05
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: subversion security update Advisory ID: RHSA-2015:1742-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1742.html Issue date: 2015-09-08 CVE Names: CVE-2015-0248 CVE-2015-0251 CVE-2015-3184 CVE-2015-3187 =====================================================================
- Summary:
Updated subversion packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP.
An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. (CVE-2015-0248)
It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users. (CVE-2015-3184)
It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. (CVE-2015-0251)
It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved). (CVE-2015-3187)
Red Hat would like to thank the Apache Software Foundation for reporting these issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael Pilato of CollabNet as the original reporter of CVE-2015-3184 and CVE-2015-3187 flaws.
All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1205138 - CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers 1205140 - CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions 1247249 - CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4 1247252 - CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz
- Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source: subversion-1.7.14-7.el7_1.1.src.rpm
x86_64: mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm subversion-1.7.14-7.el7_1.1.i686.rpm subversion-1.7.14-7.el7_1.1.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-devel-1.7.14-7.el7_1.1.i686.rpm subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm subversion-gnome-1.7.14-7.el7_1.1.i686.rpm subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm subversion-javahl-1.7.14-7.el7_1.1.i686.rpm subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm subversion-kde-1.7.14-7.el7_1.1.i686.rpm subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm subversion-libs-1.7.14-7.el7_1.1.i686.rpm subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm subversion-perl-1.7.14-7.el7_1.1.i686.rpm subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm subversion-python-1.7.14-7.el7_1.1.x86_64.rpm subversion-ruby-1.7.14-7.el7_1.1.i686.rpm subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: subversion-1.7.14-7.el7_1.1.src.rpm
x86_64: mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm subversion-1.7.14-7.el7_1.1.i686.rpm subversion-1.7.14-7.el7_1.1.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-devel-1.7.14-7.el7_1.1.i686.rpm subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm subversion-gnome-1.7.14-7.el7_1.1.i686.rpm subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm subversion-javahl-1.7.14-7.el7_1.1.i686.rpm subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm subversion-kde-1.7.14-7.el7_1.1.i686.rpm subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm subversion-libs-1.7.14-7.el7_1.1.i686.rpm subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm subversion-perl-1.7.14-7.el7_1.1.i686.rpm subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm subversion-python-1.7.14-7.el7_1.1.x86_64.rpm subversion-ruby-1.7.14-7.el7_1.1.i686.rpm subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: subversion-1.7.14-7.el7_1.1.src.rpm
ppc64: mod_dav_svn-1.7.14-7.el7_1.1.ppc64.rpm subversion-1.7.14-7.el7_1.1.ppc64.rpm subversion-debuginfo-1.7.14-7.el7_1.1.ppc.rpm subversion-debuginfo-1.7.14-7.el7_1.1.ppc64.rpm subversion-libs-1.7.14-7.el7_1.1.ppc.rpm subversion-libs-1.7.14-7.el7_1.1.ppc64.rpm
s390x: mod_dav_svn-1.7.14-7.el7_1.1.s390x.rpm subversion-1.7.14-7.el7_1.1.s390x.rpm subversion-debuginfo-1.7.14-7.el7_1.1.s390.rpm subversion-debuginfo-1.7.14-7.el7_1.1.s390x.rpm subversion-libs-1.7.14-7.el7_1.1.s390.rpm subversion-libs-1.7.14-7.el7_1.1.s390x.rpm
x86_64: mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm subversion-1.7.14-7.el7_1.1.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-libs-1.7.14-7.el7_1.1.i686.rpm subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: subversion-1.7.14-7.ael7b_1.1.src.rpm
ppc64le: mod_dav_svn-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-debuginfo-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-libs-1.7.14-7.ael7b_1.1.ppc64le.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: subversion-1.7.14-7.el7_1.1.ppc.rpm subversion-debuginfo-1.7.14-7.el7_1.1.ppc.rpm subversion-debuginfo-1.7.14-7.el7_1.1.ppc64.rpm subversion-devel-1.7.14-7.el7_1.1.ppc.rpm subversion-devel-1.7.14-7.el7_1.1.ppc64.rpm subversion-gnome-1.7.14-7.el7_1.1.ppc.rpm subversion-gnome-1.7.14-7.el7_1.1.ppc64.rpm subversion-javahl-1.7.14-7.el7_1.1.ppc.rpm subversion-javahl-1.7.14-7.el7_1.1.ppc64.rpm subversion-kde-1.7.14-7.el7_1.1.ppc.rpm subversion-kde-1.7.14-7.el7_1.1.ppc64.rpm subversion-perl-1.7.14-7.el7_1.1.ppc.rpm subversion-perl-1.7.14-7.el7_1.1.ppc64.rpm subversion-python-1.7.14-7.el7_1.1.ppc64.rpm subversion-ruby-1.7.14-7.el7_1.1.ppc.rpm subversion-ruby-1.7.14-7.el7_1.1.ppc64.rpm subversion-tools-1.7.14-7.el7_1.1.ppc64.rpm
s390x: subversion-1.7.14-7.el7_1.1.s390.rpm subversion-debuginfo-1.7.14-7.el7_1.1.s390.rpm subversion-debuginfo-1.7.14-7.el7_1.1.s390x.rpm subversion-devel-1.7.14-7.el7_1.1.s390.rpm subversion-devel-1.7.14-7.el7_1.1.s390x.rpm subversion-gnome-1.7.14-7.el7_1.1.s390.rpm subversion-gnome-1.7.14-7.el7_1.1.s390x.rpm subversion-javahl-1.7.14-7.el7_1.1.s390.rpm subversion-javahl-1.7.14-7.el7_1.1.s390x.rpm subversion-kde-1.7.14-7.el7_1.1.s390.rpm subversion-kde-1.7.14-7.el7_1.1.s390x.rpm subversion-perl-1.7.14-7.el7_1.1.s390.rpm subversion-perl-1.7.14-7.el7_1.1.s390x.rpm subversion-python-1.7.14-7.el7_1.1.s390x.rpm subversion-ruby-1.7.14-7.el7_1.1.s390.rpm subversion-ruby-1.7.14-7.el7_1.1.s390x.rpm subversion-tools-1.7.14-7.el7_1.1.s390x.rpm
x86_64: subversion-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-devel-1.7.14-7.el7_1.1.i686.rpm subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm subversion-gnome-1.7.14-7.el7_1.1.i686.rpm subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm subversion-javahl-1.7.14-7.el7_1.1.i686.rpm subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm subversion-kde-1.7.14-7.el7_1.1.i686.rpm subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm subversion-perl-1.7.14-7.el7_1.1.i686.rpm subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm subversion-python-1.7.14-7.el7_1.1.x86_64.rpm subversion-ruby-1.7.14-7.el7_1.1.i686.rpm subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64le: subversion-debuginfo-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-devel-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-gnome-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-javahl-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-kde-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-perl-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-python-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-ruby-1.7.14-7.ael7b_1.1.ppc64le.rpm subversion-tools-1.7.14-7.ael7b_1.1.ppc64le.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: subversion-1.7.14-7.el7_1.1.src.rpm
x86_64: mod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm subversion-1.7.14-7.el7_1.1.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-libs-1.7.14-7.el7_1.1.i686.rpm subversion-libs-1.7.14-7.el7_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: subversion-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm subversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm subversion-devel-1.7.14-7.el7_1.1.i686.rpm subversion-devel-1.7.14-7.el7_1.1.x86_64.rpm subversion-gnome-1.7.14-7.el7_1.1.i686.rpm subversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm subversion-javahl-1.7.14-7.el7_1.1.i686.rpm subversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm subversion-kde-1.7.14-7.el7_1.1.i686.rpm subversion-kde-1.7.14-7.el7_1.1.x86_64.rpm subversion-perl-1.7.14-7.el7_1.1.i686.rpm subversion-perl-1.7.14-7.el7_1.1.x86_64.rpm subversion-python-1.7.14-7.el7_1.1.x86_64.rpm subversion-ruby-1.7.14-7.el7_1.1.i686.rpm subversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm subversion-tools-1.7.14-7.el7_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2015-0248 https://access.redhat.com/security/cve/CVE-2015-0251 https://access.redhat.com/security/cve/CVE-2015-3184 https://access.redhat.com/security/cve/CVE-2015-3187 https://access.redhat.com/security/updates/classification/#moderate https://subversion.apache.org/security/CVE-2015-0248-advisory.txt https://subversion.apache.org/security/CVE-2015-3184-advisory.txt https://subversion.apache.org/security/CVE-2015-0251-advisory.txt https://subversion.apache.org/security/CVE-2015-3187-advisory.txt
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFV7t6+XlSAg2UNWIIRAivqAKCtV0lnW3RGFsCNsKIU9lBHeBk4UQCdE8/b KVJwbobNcmPzKule+9U7RnM= =F2J4 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201508-0172", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.11" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.10" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.9" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.5" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.1" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.8" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.7" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.6" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.4" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.3" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.2" }, { "model": "subversion", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "1.8.13" }, { "model": "subversion", "scope": "lte", "trust": 1.0, "vendor": "apache", "version": "1.7.20" }, { "model": "xcode", "scope": "lte", "trust": 1.0, "vendor": "apple", "version": "7.2.1" }, { "model": "subversion", "scope": "lt", "trust": 0.8, "vendor": "apache", "version": "1.8.x" }, { "model": "subversion", "scope": "eq", "trust": 0.8, "vendor": "apache", "version": "1.8.14" }, { "model": "xcode", "scope": "lt", "trust": 0.8, "vendor": "apple", "version": "(os x el capitan v10.11 or later )" }, { "model": "xcode", "scope": "eq", "trust": 0.8, "vendor": "apple", "version": "7.3" }, { "model": "xcode", "scope": "eq", "trust": 0.6, "vendor": "apple", "version": "7.2.1" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "15.04" }, { "model": "linux lts", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "14.04" }, { "model": "linux lts i386", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "12.04" }, { "model": "linux lts amd64", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "12.04" }, { "model": "enterprise linux workstation optional", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux workstation", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux server optional", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux server", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux hpc node optional", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux desktop optional", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "6" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "7" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "6.2" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.3, "vendor": "oracle", "version": "6" }, { "model": "linux", "scope": null, "trust": 0.3, "vendor": "gentoo", "version": null }, { "model": "linux sparc", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux s/390", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux powerpc", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux mips", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux ia-64", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux ia-32", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux arm", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "linux amd64", "scope": "eq", "trust": 0.3, "vendor": "debian", "version": "6.0" }, { "model": "centos", "scope": "eq", "trust": 0.3, "vendor": "centos", "version": "7" }, { "model": "centos", "scope": "eq", "trust": 0.3, "vendor": "centos", "version": "6" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "6.0.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "2.4.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "7.0" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "6.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "6.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "6.0" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "5.0" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.4" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.3.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.3.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.3.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.2.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.1.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.0.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "4.0.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.2.5" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.2.4" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.2.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.2.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.2.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.1.4" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.1.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.1.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.1.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "3.0" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "2.3" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "2.2" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "2.1" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "2.0" }, { "model": "xcode", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "1.5" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.11.3" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.11.2" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.11.1" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.11" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.8" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.19" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.18" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.17" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.16" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.11" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.10" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.1" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.9" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.8" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.7" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.6" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.5" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.4" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.3" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.20" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.2" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.15" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.14" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.13" }, { "model": "subversion", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "1.7.12" }, { "model": "xcode", "scope": "ne", "trust": 0.3, "vendor": "apple", "version": "7.3" }, { "model": "subversion", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "1.8.14" }, { "model": "subversion", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "1.7.22" }, { "model": "subversion", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "1.7.21" } ], "sources": [ { "db": "BID", "id": "76273" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "1.7.20", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:subversion:1.8.13:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "7.2.1", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2015-3187" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "C. Michael Pilato of CollabNet.", "sources": [ { "db": "BID", "id": "76273" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ], "trust": 0.9 }, "cve": "CVE-2015-3187", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.0, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2015-3187", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "VULHUB", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "VHN-81148", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "NVD", "id": "CVE-2015-3187", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201508-058", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULHUB", "id": "VHN-81148", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-81148" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. Apache Subversion is prone to an information-disclosure vulnerability. \nAttackers can exploit this issue to obtain sensitive information that may aid in further attacks. \nApache Subversion 1.8.0 through 1.8.13 and 1.7.0 through 1.7.20 are vulnerable. The system is compatible with the Concurrent Versions System (CVS). ============================================================================\nUbuntu Security Notice USN-2721-1\nAugust 20, 2015\n\nsubversion vulnerabilities\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 15.04\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Subversion. \n\nSoftware Description:\n- subversion: Advanced version control system\n\nDetails:\n\nIt was discovered that the Subversion mod_dav_svn module incorrectly\nhandled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu\n14.04 LTS. (CVE-2014-3580)\n\nIt was discovered that the Subversion mod_dav_svn module incorrectly\nhandled requests requiring a lookup for a virtual transaction name that\ndoes not exist. This issue only affected Ubuntu\n14.04 LTS. (CVE-2014-8108)\n\nEvgeny Kotkov discovered that the Subversion mod_dav_svn module incorrectly\nhandled large numbers of REPORT requests. This\nissue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202)\n\nEvgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve\nmodules incorrectly certain crafted parameter combinations. (CVE-2015-0248)\n\nIvan Zhakov discovered that the Subversion mod_dav_svn module incorrectly\nhandled crafted v1 HTTP protocol request sequences. (CVE-2015-0251)\n\nC. A remote attacker could use this\nissue to read hidden files via the path name. This issue only affected\nUbuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184)\n\nC. Michael Pilato discovered that Subversion incorrectly handled path-based\nauthorization. (CVE-2015-3187)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 15.04:\n libapache2-svn 1.8.10-5ubuntu1.1\n libsvn1 1.8.10-5ubuntu1.1\n subversion 1.8.10-5ubuntu1.1\n\nUbuntu 14.04 LTS:\n libapache2-svn 1.8.8-1ubuntu3.2\n libsvn1 1.8.8-1ubuntu3.2\n subversion 1.8.8-1ubuntu3.2\n\nUbuntu 12.04 LTS:\n libapache2-svn 1.6.17dfsg-3ubuntu3.5\n libsvn1 1.6.17dfsg-3ubuntu3.5\n subversion 1.6.17dfsg-3ubuntu3.5\n\nIn general, a standard system update will make all the necessary changes. 6) - i386, noarch, x86_64\n\n3. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\nAPPLE-SA-2016-03-21-4 Xcode 7.3\n\nXcode 7.3 is now available and addresses the following:\n\notool\nAvailable for: OS X El Capitan v10.11 and later\nImpact: A local attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1765 : Proteas of Qihoo 360 Nirvan Team and Will Estes\n(@squiffy)\n\nsubversion\nAvailable for: OS X El Capitan v10.11 and later\nImpact: A malicious server may be able to execute arbitrary code\nDescription: Multiple vulnerabilities existed in subversion versions\nprior to 1.7.21, the most serious of which may have led to remote\ncode execution. These were addressed by updating subversion to\nversion 1.7.22. Michael Pilato, CollabNet\n\nXcode 7.0 may be obtained from:\nhttps://developer.apple.com/xcode/downloads/\n\nTo check that the Xcode has been updated:\n\n* Select Xcode in the menu bar\n* Select About Xcode\n* The version after applying this update will be \"7.3\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - https://gpgtools.org\n\niQIcBAEBCgAGBQJW8JQAAAoJEBcWfLTuOo7tO6gQAJAW+kXp0TuFMDT6xHo2YVIq\nOiRdtYYsaQ0vLXHhDFQP+8uXPSz6KnunxKYZhA3JsSIjXZcv+O0Vw9hP/5A3/nj8\nvXYCFmVW9m7rse4k7m117PYdPuKuWtAvDU19b7B2/vPsrv1R6C5R+jZj7hi9Vp2T\n4Vx4oLeXCAhzpuDNfvtnyI756b8j63si2eSMSIPp+smQl4RKWtEJEAX5yHkDpeyl\ncuCHiEbwx4+UomEp5jpOPGjcmohjpTrbBJE8hH/k6W85bBj+rhBPJoBAYafW7nHt\n6uokIgZtU59ZEAwC8hme0vzApINfslV1fiJk1HN/rP6Cp+ptdIZGL8zydmzIh7yq\ngEnfcEEhD2TTkJYnt22l42ZtCDsGJkFBF/r77EHmYWUJfmR4a4Jismp4sGGPgZ12\nOitRfBzojK1+Ah6tkYV2LKIfjstprBTRZdz0XKQtjgAwfgktAalrWiibZs2zBNF5\nUfZKAsM3Qc9RBK5pNQpGMlrHQtnFdD74Df4TYRlSuKZRO5DLr0STDeHXQfn4Ti/9\n8+ZifqggFuWBfh5es4EFdcpxRRqWI9OKOdgQ0Oc5tXwIyAlOshxNuP3qAgVQzwwd\nCOicsW/1HsUoaopDuf+bzDcJPL/L9H3SRYfg4S/uv5JOjoaPr0pQC8mUfR25dZAw\ncU0NiqyyiqU1H29UaU50\n=9aiD\n-----END PGP SIGNATURE-----\n. \n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201610-05\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: Subversion, Serf: Multiple Vulnerabilities\n Date: October 11, 2016\n Bugs: #500482, #518716, #519202, #545348, #556076, #567810,\n #581448, #586046\n ID: 201610-05\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Subversion and Serf, the\nworst of which could lead to execution of arbitrary code. \n\nBackground\n==========\n\nSubversion is a version control system intended to eventually replace\nCVS. Like CVS, it has an optional client-server architecture (where the\nserver can be an Apache server running mod_svn, or an ssh program as in\nCVS\u0027s :ext: method). In addition to supporting the features found in\nCVS, Subversion also provides support for moving and copying files and\ndirectories. \n\nThe serf library is a high performance C-based HTTP client library\nbuilt upon the Apache Portable Runtime (APR) library. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-vcs/subversion \u003c 1.9.4 \u003e= 1.9.4\n *\u003e 1.8.16\n 2 net-libs/serf \u003c 1.3.7 \u003e= 1.3.7\n -------------------------------------------------------------------\n 2 affected packages\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Subversion and Serf. \nPlease review the CVE identifiers referenced below for details\n\nImpact\n======\n\nA remote attacker could possibly execute arbitrary code with the\nprivileges of the process, conduct a man-in-the-middle attack, obtain\nsensitive information, or cause a Denial of Service Condition. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Subversion users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-vcs/subversion-1.9.4\"\n\nAll Serf users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-libs/serf-1.3.7\"\n\nReferences\n==========\n\n[ 1 ] CVE-2014-0032\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0032\n[ 2 ] CVE-2014-3504\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3504\n[ 3 ] CVE-2014-3522\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3522\n[ 4 ] CVE-2014-3528\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3528\n[ 5 ] CVE-2015-0202\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0202\n[ 6 ] CVE-2015-0248\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0248\n[ 7 ] CVE-2015-0251\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0251\n[ 8 ] CVE-2015-3184\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3184\n[ 9 ] CVE-2015-3187\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3187\n[ 10 ] CVE-2015-5259\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5259\n[ 11 ] CVE-2016-2167\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2167\n[ 12 ] CVE-2016-2168\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2168\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201610-05\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2016 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: subversion security update\nAdvisory ID: RHSA-2015:1742-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2015-1742.html\nIssue date: 2015-09-08\nCVE Names: CVE-2015-0248 CVE-2015-0251 CVE-2015-3184 \n CVE-2015-3187 \n=====================================================================\n\n1. Summary:\n\nUpdated subversion packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nSubversion (SVN) is a concurrent version control system which enables one\nor more users to collaborate in developing and maintaining a hierarchy of\nfiles and directories while keeping a history of all changes. The\nmod_dav_svn module is used with the Apache HTTP Server to allow access\nto Subversion repositories via HTTP. \n\nAn assertion failure flaw was found in the way the SVN server processed\ncertain requests with dynamically evaluated revision numbers. A remote\nattacker could use this flaw to cause the SVN server (both svnserve and\nhttpd with the mod_dav_svn module) to crash. (CVE-2015-0248)\n\nIt was found that the mod_authz_svn module did not properly restrict\nanonymous access to Subversion repositories under certain configurations\nwhen used with Apache httpd 2.4.x. This could allow a user to anonymously\naccess files in a Subversion repository, which should only be accessible to\nauthenticated users. (CVE-2015-3184)\n\nIt was found that the mod_dav_svn module did not properly validate the\nsvn:author property of certain requests. An attacker able to create new\nrevisions could use this flaw to spoof the svn:author property. \n(CVE-2015-0251)\n\nIt was found that when an SVN server (both svnserve and httpd with the\nmod_dav_svn module) searched the history of a file or a directory, it would\ndisclose its location in the repository if that file or directory was not\nreadable (for example, if it had been moved). (CVE-2015-3187)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthese issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the\noriginal reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael\nPilato of CollabNet as the original reporter of CVE-2015-3184 and\nCVE-2015-3187 flaws. \n\nAll subversion users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, for the update to take effect, you must restart the httpd\ndaemon, if you are using mod_dav_svn, and the svnserve daemon, if you are\nserving Subversion repositories via the svn:// protocol. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1205138 - CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers\n1205140 - CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions\n1247249 - CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4\n1247252 - CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz\n\n6. Package List:\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nSource:\nsubversion-1.7.14-7.el7_1.1.src.rpm\n\nx86_64:\nmod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-1.7.14-7.el7_1.1.i686.rpm\nsubversion-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-devel-1.7.14-7.el7_1.1.i686.rpm\nsubversion-devel-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.i686.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-kde-1.7.14-7.el7_1.1.i686.rpm\nsubversion-kde-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-libs-1.7.14-7.el7_1.1.i686.rpm\nsubversion-libs-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-perl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-perl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-python-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.i686.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-tools-1.7.14-7.el7_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nSource:\nsubversion-1.7.14-7.el7_1.1.src.rpm\n\nx86_64:\nmod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-1.7.14-7.el7_1.1.i686.rpm\nsubversion-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-devel-1.7.14-7.el7_1.1.i686.rpm\nsubversion-devel-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.i686.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-kde-1.7.14-7.el7_1.1.i686.rpm\nsubversion-kde-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-libs-1.7.14-7.el7_1.1.i686.rpm\nsubversion-libs-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-perl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-perl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-python-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.i686.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-tools-1.7.14-7.el7_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nsubversion-1.7.14-7.el7_1.1.src.rpm\n\nppc64:\nmod_dav_svn-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-libs-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-libs-1.7.14-7.el7_1.1.ppc64.rpm\n\ns390x:\nmod_dav_svn-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.s390.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-libs-1.7.14-7.el7_1.1.s390.rpm\nsubversion-libs-1.7.14-7.el7_1.1.s390x.rpm\n\nx86_64:\nmod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-libs-1.7.14-7.el7_1.1.i686.rpm\nsubversion-libs-1.7.14-7.el7_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nsubversion-1.7.14-7.ael7b_1.1.src.rpm\n\nppc64le:\nmod_dav_svn-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-debuginfo-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-libs-1.7.14-7.ael7b_1.1.ppc64le.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nsubversion-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-devel-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-devel-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-kde-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-kde-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-perl-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-perl-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-python-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.ppc.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.ppc64.rpm\nsubversion-tools-1.7.14-7.el7_1.1.ppc64.rpm\n\ns390x:\nsubversion-1.7.14-7.el7_1.1.s390.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.s390.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-devel-1.7.14-7.el7_1.1.s390.rpm\nsubversion-devel-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.s390.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.s390.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-kde-1.7.14-7.el7_1.1.s390.rpm\nsubversion-kde-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-perl-1.7.14-7.el7_1.1.s390.rpm\nsubversion-perl-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-python-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.s390.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.s390x.rpm\nsubversion-tools-1.7.14-7.el7_1.1.s390x.rpm\n\nx86_64:\nsubversion-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-devel-1.7.14-7.el7_1.1.i686.rpm\nsubversion-devel-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.i686.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-kde-1.7.14-7.el7_1.1.i686.rpm\nsubversion-kde-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-perl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-perl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-python-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.i686.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-tools-1.7.14-7.el7_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64le:\nsubversion-debuginfo-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-devel-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-gnome-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-javahl-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-kde-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-perl-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-python-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-ruby-1.7.14-7.ael7b_1.1.ppc64le.rpm\nsubversion-tools-1.7.14-7.ael7b_1.1.ppc64le.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nsubversion-1.7.14-7.el7_1.1.src.rpm\n\nx86_64:\nmod_dav_svn-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-libs-1.7.14-7.el7_1.1.i686.rpm\nsubversion-libs-1.7.14-7.el7_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nsubversion-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.i686.rpm\nsubversion-debuginfo-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-devel-1.7.14-7.el7_1.1.i686.rpm\nsubversion-devel-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.i686.rpm\nsubversion-gnome-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-javahl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-kde-1.7.14-7.el7_1.1.i686.rpm\nsubversion-kde-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-perl-1.7.14-7.el7_1.1.i686.rpm\nsubversion-perl-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-python-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.i686.rpm\nsubversion-ruby-1.7.14-7.el7_1.1.x86_64.rpm\nsubversion-tools-1.7.14-7.el7_1.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-0248\nhttps://access.redhat.com/security/cve/CVE-2015-0251\nhttps://access.redhat.com/security/cve/CVE-2015-3184\nhttps://access.redhat.com/security/cve/CVE-2015-3187\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://subversion.apache.org/security/CVE-2015-0248-advisory.txt\nhttps://subversion.apache.org/security/CVE-2015-3184-advisory.txt\nhttps://subversion.apache.org/security/CVE-2015-0251-advisory.txt\nhttps://subversion.apache.org/security/CVE-2015-3187-advisory.txt\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2015 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFV7t6+XlSAg2UNWIIRAivqAKCtV0lnW3RGFsCNsKIU9lBHeBk4UQCdE8/b\nKVJwbobNcmPzKule+9U7RnM=\n=F2J4\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n", "sources": [ { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "BID", "id": "76273" }, { "db": "VULHUB", "id": "VHN-81148" }, { "db": "PACKETSTORM", "id": "133236" }, { "db": "PACKETSTORM", "id": "133096" }, { "db": "PACKETSTORM", "id": "136345" }, { "db": "PACKETSTORM", "id": "139060" }, { "db": "PACKETSTORM", "id": "133473" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2015-3187", "trust": 3.3 }, { "db": "SECTRACK", "id": "1033215", "trust": 2.5 }, { "db": "BID", "id": "76273", "trust": 2.0 }, { "db": "JVN", "id": "JVNVU97668313", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2015-004064", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-201508-058", "trust": 0.7 }, { "db": "VULHUB", "id": "VHN-81148", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "133236", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "133096", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "136345", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "139060", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "133473", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-81148" }, { "db": "BID", "id": "76273" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "PACKETSTORM", "id": "133236" }, { "db": "PACKETSTORM", "id": "133096" }, { "db": "PACKETSTORM", "id": "136345" }, { "db": "PACKETSTORM", "id": "139060" }, { "db": "PACKETSTORM", "id": "133473" }, { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "id": "VAR-201508-0172", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-81148" } ], "trust": 0.01 }, "last_update_date": "2023-12-18T10:55:48.246000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "APPLE-SA-2016-03-21-4 Xcode 7.3", "trust": 0.8, "url": "http://lists.apple.com/archives/security-announce/2016/mar/msg00003.html" }, { "title": "HT206172", "trust": 0.8, "url": "https://support.apple.com/en-us/ht206172" }, { "title": "HT206172", "trust": 0.8, "url": "https://support.apple.com/ja-jp/ht206172" }, { "title": "RHSA-2015:1633", "trust": 0.8, "url": "http://rhn.redhat.com/errata/rhsa-2015-1633.html" }, { "title": "CVE-2015-3187-advisory", "trust": 0.8, "url": "http://subversion.apache.org/security/cve-2015-3187-advisory.txt" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2015-004064" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-200", "trust": 1.9 } ], "sources": [ { "db": "VULHUB", "id": "VHN-81148" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "NVD", "id": "CVE-2015-3187" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "http://www.securitytracker.com/id/1033215" }, { "trust": 2.2, "url": "http://subversion.apache.org/security/cve-2015-3187-advisory.txt" }, { "trust": 1.7, "url": "http://www.securityfocus.com/bid/76273" }, { "trust": 1.5, "url": "http://rhn.redhat.com/errata/rhsa-2015-1742.html" }, { "trust": 1.2, "url": "https://security.gentoo.org/glsa/201610-05" }, { "trust": 1.2, "url": "http://rhn.redhat.com/errata/rhsa-2015-1633.html" }, { "trust": 1.2, "url": "http://www.ubuntu.com/usn/usn-2721-1" }, { "trust": 1.1, "url": "http://lists.apple.com/archives/security-announce/2016/mar/msg00003.html" }, { "trust": 1.1, "url": "https://support.apple.com/ht206172" }, { "trust": 1.1, "url": "http://www.debian.org/security/2015/dsa-3331" }, { "trust": 1.1, "url": "http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3187" }, { "trust": 0.8, "url": "http://jvn.jp/vu/jvnvu97668313/index.html" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3187" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-3187" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0248" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0251" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-3184" }, { "trust": 0.3, "url": "http://subversion.apache.org/" }, { "trust": 0.3, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1247252" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0202" }, { "trust": 0.2, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://subversion.apache.org/security/cve-2015-0251-advisory.txt" }, { "trust": 0.2, "url": "https://subversion.apache.org/security/cve-2015-0248-advisory.txt" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2015-0251" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2015-0248" }, { "trust": 0.2, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2015-3187" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/subversion/1.6.17dfsg-3ubuntu3.5" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-8108" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3580" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/subversion/1.8.8-1ubuntu3.2" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/subversion/1.8.10-5ubuntu1.1" }, { "trust": 0.1, "url": "https://support.apple.com/kb/ht201222" }, { "trust": 0.1, "url": "https://www.apple.com/support/security/pgp/" }, { "trust": 0.1, "url": "https://gpgtools.org" }, { "trust": 0.1, "url": "https://developer.apple.com/xcode/downloads/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1765" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-3187" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5259" }, { "trust": 0.1, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-0032" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3528" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3504" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-2168" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2016-2168" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-2167" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2016-2167" }, { "trust": 0.1, "url": "http://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0248" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-3184" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-3504" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3522" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5259" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0251" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0202" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-3522" }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-3528" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." }, { "trust": 0.1, "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0032" }, { "trust": 0.1, "url": "https://subversion.apache.org/security/cve-2015-3184-advisory.txt" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2015-3184" } ], "sources": [ { "db": "VULHUB", "id": "VHN-81148" }, { "db": "BID", "id": "76273" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "PACKETSTORM", "id": "133236" }, { "db": "PACKETSTORM", "id": "133096" }, { "db": "PACKETSTORM", "id": "136345" }, { "db": "PACKETSTORM", "id": "139060" }, { "db": "PACKETSTORM", "id": "133473" }, { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-81148" }, { "db": "BID", "id": "76273" }, { "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "db": "PACKETSTORM", "id": "133236" }, { "db": "PACKETSTORM", "id": "133096" }, { "db": "PACKETSTORM", "id": "136345" }, { "db": "PACKETSTORM", "id": "139060" }, { "db": "PACKETSTORM", "id": "133473" }, { "db": "NVD", "id": "CVE-2015-3187" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2015-08-12T00:00:00", "db": "VULHUB", "id": "VHN-81148" }, { "date": "2015-07-27T00:00:00", "db": "BID", "id": "76273" }, { "date": "2015-08-13T00:00:00", "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "date": "2015-08-21T16:59:18", "db": "PACKETSTORM", "id": "133236" }, { "date": "2015-08-17T15:40:41", "db": "PACKETSTORM", "id": "133096" }, { "date": "2016-03-22T15:15:02", "db": "PACKETSTORM", "id": "136345" }, { "date": "2016-10-12T04:50:20", "db": "PACKETSTORM", "id": "139060" }, { "date": "2015-09-08T15:47:21", "db": "PACKETSTORM", "id": "133473" }, { "date": "2015-08-12T14:59:12.150000", "db": "NVD", "id": "CVE-2015-3187" }, { "date": "2015-07-27T00:00:00", "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2017-07-01T00:00:00", "db": "VULHUB", "id": "VHN-81148" }, { "date": "2016-10-26T00:17:00", "db": "BID", "id": "76273" }, { "date": "2016-03-29T00:00:00", "db": "JVNDB", "id": "JVNDB-2015-004064" }, { "date": "2017-07-01T01:29:15.733000", "db": "NVD", "id": "CVE-2015-3187" }, { "date": "2015-08-13T00:00:00", "db": "CNNVD", "id": "CNNVD-201508-058" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "133236" }, { "db": "PACKETSTORM", "id": "133096" }, { "db": "PACKETSTORM", "id": "133473" }, { "db": "CNNVD", "id": "CNNVD-201508-058" } ], "trust": 0.9 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Subversion of svn_repos_trace_node_locations Vulnerability in obtaining important path information in functions", "sources": [ { "db": "JVNDB", "id": "JVNDB-2015-004064" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "information disclosure", "sources": [ { "db": "CNNVD", "id": "CNNVD-201508-058" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.