[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fedora] Schwachstelle in Subversion bis einschliesslich Version 1.4.3 - FEDORA-2007-2635

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [Fedora] Schwachstelle in Subversion bis einschliesslich Version 1.4.3 - FEDORA-2007-2635
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Tue, 30 Oct 2007 12:15:31 +0100 (CET)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2007-2448 - Fehlerhafte Implementierung des "Partial Access"
Privilegs in Subversion

  Das "Partial Access" Privileg in Subversion erlaubt einem Benutzer
  Zugriff auf wenigstens einen der Pfade im Repository, aber nicht auf
  alle. Dieses Privileg wird in Subversion bis einschliesslich Version
  1.4.3 fehlerhaft implementiert. Dadurch koennen Benutzer Einsicht in
  Daten (Revision Properties) erlangen, die sie in der Ausgabe von "svn
  log" nicht haetten, wenn sie stattdessen "svn propget", "svn proplist"
  oder "svn propedit" aufrufen. Die Schwachstelle ist nur ausnutzbar,
  wenn der Benutzer Zugriff auf geaenderte Pfade in der Revision hat,
  nicht aber auf kopierte Pfade.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket subversion

  Fedora 7

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00371.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
   Andreas Bunten, DFN-CERT
- -- 
Andreas Bunten (CSIRT), +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2635
2007-10-29 19:02:36.986453
- --------------------------------------------------------------------------------

Name        : subversion
Product     : Fedora 7
Version     : 1.4.4
Release     : 1.fc7
URL         : http://subversion.tigris.org/
Summary     : Modern Version Control System designed to replace CVS
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes.  Subversion only stores the differences between versions,
instead of every complete file.  Subversion is intended to be a
compelling replacement for CVS.

- --------------------------------------------------------------------------------
Update Information:

This update includes the Subversion 1.4.4 release, including a number of bug fixes and a fix for a minor security issue.

An issue was discovered in the implementation of access control for revision properties in the path-based authorization code.  In a repository using path-based access control, if a path was copied  from a private area to a public area, the revision properties of the (private) source path would become visible despite the access control restrictions.  (CVE-2007-2448)
- --------------------------------------------------------------------------------
ChangeLog:

* Tue Jul  3 2007 Joe Orton <jorton@xxxxxxxxxx> 1.4.4-1.fc7
- - update to 1.4.4
- - add Provides: svn (#245087)
- - fix without-java build (Lennert Buytenhek, #245467)
* Wed Apr 11 2007 Joe Orton <jorton@xxxxxxxxxx> 1.4.3-5
- - fix version of apr/apr-util in BR (#216181)
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #243856 - CVE-2007-2448 New subversion release fixes a subtle security bug [F7]
        https://bugzilla.redhat.com/show_bug.cgi?id=243856
  [ 2 ] Bug #245087 - add Provides: svn to subversion package
        https://bugzilla.redhat.com/show_bug.cgi?id=245087
  [ 3 ] CVE-2007-2448
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2448
- --------------------------------------------------------------------------------
Updated packages:

9140f3d533f3b2eab81f5085c01d228932747734 mod_dav_svn-1.4.4-1.fc7.ppc64.rpm
49f634ec8b90de6bd9900641363a7e256bd270bc subversion-1.4.4-1.fc7.ppc64.rpm
eea8211bd6ffe879abbc1339554c2a8f65b9488b subversion-debuginfo-1.4.4-1.fc7.ppc64.rpm
f29dbc29ff87c4c453b4939bb6dd1792611ba3f9 subversion-perl-1.4.4-1.fc7.ppc64.rpm
426f66e79b4622db09d2973bd7de8fc2d2692946 subversion-devel-1.4.4-1.fc7.ppc64.rpm
52e7783cabf931a1b3f87d940656a78edc4d7e5e subversion-javahl-1.4.4-1.fc7.ppc64.rpm
2fcb68075dd8093814b3bb65841634bde91d3642 subversion-ruby-1.4.4-1.fc7.ppc64.rpm
93dc442b4b1b907fb35ee3af396dfc487be5c7b8 mod_dav_svn-1.4.4-1.fc7.i386.rpm
660f8fa55b6bb30ee4200c1ac139abfda7b08bc8 subversion-javahl-1.4.4-1.fc7.i386.rpm
839f9c218f88a865ebfad9d9c2738e6894205e6c subversion-ruby-1.4.4-1.fc7.i386.rpm
cf08ccd894457b1edf8f71f727fabd94ebbc0870 subversion-devel-1.4.4-1.fc7.i386.rpm
3873b83a1a18a770faf16d05ac5dc8bcf821379f subversion-debuginfo-1.4.4-1.fc7.i386.rpm
b7fc96f74a137cc2712465df83baf2dfb4d40990 subversion-perl-1.4.4-1.fc7.i386.rpm
40cfafe8ffa7b53a4de80b85a24536b35f641c39 subversion-1.4.4-1.fc7.i386.rpm
4e80678e83362fe11015513db50026a9326f9f8a subversion-javahl-1.4.4-1.fc7.x86_64.rpm
a6d23313c174780eae8afab617b76174752dd1b3 subversion-perl-1.4.4-1.fc7.x86_64.rpm
a19ff5b88367b8a1403cd5b3d777f35c5d4ce73a subversion-ruby-1.4.4-1.fc7.x86_64.rpm
35e35e7b7a2c3388a92d0abd867ccfffc367fdb4 mod_dav_svn-1.4.4-1.fc7.x86_64.rpm
84baa7fdcd6888a683aadb226a9c4455142a5c4d subversion-devel-1.4.4-1.fc7.x86_64.rpm
d1498fbb8fb8e84a1920cfcb6c6b39632ee4c1c2 subversion-debuginfo-1.4.4-1.fc7.x86_64.rpm
8138cc509033c0d3f90ea7ccf430292137dd36f8 subversion-1.4.4-1.fc7.x86_64.rpm
5b9a3673406e717b1b07eb5550830cc2649c00ae subversion-devel-1.4.4-1.fc7.ppc.rpm
3c22c3b1137a3e70602fff4ff7c92d2e40c25c8e subversion-ruby-1.4.4-1.fc7.ppc.rpm
1a9c994391077650bab1a2a4d2dd92540c5e6e6e subversion-perl-1.4.4-1.fc7.ppc.rpm
c7bde220e48e508cb44307b308b9c9bf78d9db2d subversion-javahl-1.4.4-1.fc7.ppc.rpm
2a0384919bad2567ce2ffa556bd0bf7c78648d5b subversion-1.4.4-1.fc7.ppc.rpm
eba6cbdb27b449004674499d9cf922893d7084ea subversion-debuginfo-1.4.4-1.fc7.ppc.rpm
92f90db0d2f2b6e2fb700b5c95f9d7c966e1e3b3 mod_dav_svn-1.4.4-1.fc7.ppc.rpm
ac482709364bf8f854c250350fe4402141e54932 subversion-1.4.4-1.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update subversion' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRycSUxYd1iQZmhQQAQG8HQf9Hxtgnx1MsT+XDUBsHZ52cswmqrwTBXna
jFcva6VXFkT5ZRJ4eMvL1FAJu0ydHxk/RExeX6FwydA5w4UEbcnK4qz7+gDwoH5M
kG5JaKfxNgAj3YlCCk+AxTsNTG1MKaL/FLCoeI18jyKbkGsFKCguz3VK6nn7UGMX
ONq30wWKvlirEGXtjOhN6YiFY0lribxDZTW/uKFEKt1axC/J/Jyb8LO1U3k0cwn5
P2iVivSpnQCl2exaO9j20+Faka1qFI0+0+gMjg1XFB+uyhUvQ2xTg+YKKSnb/jzK
n9VwLOE/fnzme6aJd5nzxilMckUXglW1vWIEQtf3YBaFs2GncJMVJA==
=l6pA
-----END PGP SIGNATURE-----
Prev by Date: [Fedora] Schwachstelle in GNU tar - FEDORA-2007-2673
Next by Date: [IBM] Schwachstelle in bellmail - ibm2007103101
Previous by thread: [Fedora] Schwachstelle in GNU tar - FEDORA-2007-2673
Next by thread: [IBM] Schwachstelle in bellmail - ibm2007103101
Index(es):
- Date
- Thread