Pardus: 2011-109: Subversion: Multible
Posted by Benjamin D. Thomas   
Multiple vulnerabilties have been fixed in subversion.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2011-109           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2011-09-05
      Type: Remote
------------------------------------------------------------------------

Summary
======
Multiple vulnerabilties have been fixed in subversion.


Description
==========
CVE-2011-1752 :

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in
Apache Subversion before 1.6.17, allows remote  attackers  to  cause  a
denial of service (NULL pointer dereference and  daemon  crash)  via  a
request for a baselined

WebDAV resource, as exploited in the wild in May 2011.



CVE-2011-1783 :

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in
Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the  SVNPathAuthz
short_circuit option is enabled, allows remote  attackers  to  cause  a
denial of service

(infinite loop and memory consumption) in opportunistic circumstances by
requesting data.



CVE-2011-1921 :

The mod_dav_svn module for the Apache HTTP Server,  as  distributed  in
Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the  SVNPathAuthz
short_circuit option is disabled, does not properly enforce permissions
for files that had

been publicly readable in the past, which allows  remote  attackers  to
obtain sensitive information via a replay REPORT operation.


Affected packages:

  Pardus 2009:
    subversion, all before 1.6.15-62-22
  Pardus 2011:
    subversion, all before 1.6.17-68-p11


Resolution
=========
There are update(s) for subversion. You can  update  them  via  Package
Manager or with a single command from console:

  Pardus 2009:
    pisi up subversion

  Pardus 2011:
    pisi up subversion


References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id846

------------------------------------------------------------------------