[arch-security] [ASA-201508-5] subversion: authentication bypass
rgacogne at archlinux.org
Fri Aug 14 09:13:32 UTC 2015
Arch Linux Security Advisory ASA-201508-5
Date : 2015-08-14
CVE-ID : CVE-2015-3184 CVE-2015-3187
Package : subversion
Type : authentication bypass
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package subversion before version 1.9.0-1 is vulnerable to
Upgrade to 1.9.0-1.
# pacman -Syu "subversion>=1.9.0-1"
The problem has been fixed upstream in version 1.9.0, 1.8.14 and 1.7.21.
CVE-2015-3184 can be mitigated by disabling mixed
There is no known workaround for CVE-2015-3187.
Subversion's mod_authz_svn does not properly restrict anonymous access
in some mixed anonymous/authenticated environments when using Apache
httpd 2.4. The result is that anonymous access may be possible to files
for which only authenticated access should be possible.
Subversion servers, both httpd and svnserve, will reveal some paths that
should be hidden by path-based authz. When a node is copied from an
unreadable location to a readable location the unreadable path may be
revealed. This vulnerability only reveals the path, it does not reveal
the contents of the path.
A remote unauthenticated attacker may be able to access files that
should be restricted to authenticated user.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security