Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64

Started by pgd, January 06, 2015, 11:36:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

pgd

January 06, 2015, 11:36:37 AM
Hello,

Do you plan to release mod Subversion (mod_svn) 1.8.11 VC11, X64 in the near future?
Looking for it following a security advisory from Secunia: http://secunia.com/advisories/61131/
Source changes: http://svn.apache.org/repos/asf/subversion/branches/1.8.x/CHANGES

Thank you in advance
  Daniel

mario

#1
January 06, 2015, 11:52:54 AM
Hi Daniel,

I can't view the secunia stuff, cause I have no login. What is important to build that new version?

Cheers

Gregg

#2
January 06, 2015, 05:54:36 PM
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module will crash when it
  receives a REPORT request for some invalid formatted special URIs.

  This can lead to a DoS.  There are no known instances of this problem
  being exploited in the wild.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers are vulnerable.

  A remote attacker may be able to crash a Subversion server.  Many Apache
  servers will respawn the listener processes, but a determined attacker
  will be able to crash these processes as they appear, denying service to
  legitimate users.  Servers using threaded MPMs will close the connection
  on other clients being served by the same process that services the
  request from the attacker. :P In either case there is an increased
  processing impact of restarting a process and the cost of per process
  caches being lost.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.11.  Users of
  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No known workarounds are available.

References:
===========

  CVE-2014-3580  (Subversion)

mario

#3
January 06, 2015, 06:21:20 PM
I see! Will build that this week. Sorry for the delay, but holidays are for family.

mario

#4
January 11, 2015, 06:40:39 PM
The binaries are now on the download page

pgd

#5
January 12, 2015, 10:38:23 AM
Quote from: mario on January 11, 2015, 06:40:39 PM
The binaries are now on the download page

Thank you very much!
I will install them later today.
Print
Go Up Pages1
User actions