Text only | Text with Images

The Apache Haus Forum

Forum Topics => Third-party Modules => Topic started by: pgd on January 06, 2015, 11:36:37 AM

Title: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: pgd on January 06, 2015, 11:36:37 AM
Hello,

Do you plan to release mod Subversion (mod_svn) 1.8.11 VC11, X64 in the near future?
Looking for it following a security advisory from Secunia: http://secunia.com/advisories/61131/ (http://secunia.com/advisories/61131/)
Source changes: http://svn.apache.org/repos/asf/subversion/branches/1.8.x/CHANGES (http://svn.apache.org/repos/asf/subversion/branches/1.8.x/CHANGES)

Thank you in advance
  Daniel
Title: Re: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: mario on January 06, 2015, 11:52:54 AM
Hi Daniel,

I can't view the secunia stuff, cause I have no login. What is important to build that new version?

Cheers
Title: Re: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: Gregg on January 06, 2015, 05:54:36 PM
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module will crash when it
  receives a REPORT request for some invalid formatted special URIs.

  This can lead to a DoS.  There are no known instances of this problem
  being exploited in the wild.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers are vulnerable.

  A remote attacker may be able to crash a Subversion server.  Many Apache
  servers will respawn the listener processes, but a determined attacker
  will be able to crash these processes as they appear, denying service to
  legitimate users.  Servers using threaded MPMs will close the connection
  on other clients being served by the same process that services the
  request from the attacker. :P In either case there is an increased
  processing impact of restarting a process and the cost of per process
  caches being lost.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.11.  Users of
  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No known workarounds are available.

References:
===========

  CVE-2014-3580  (Subversion)
Title: Re: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: mario on January 06, 2015, 06:21:20 PM
I see! Will build that this week. Sorry for the delay, but holidays are for family.
Title: Re: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: mario on January 11, 2015, 06:40:39 PM
The binaries are now on the download page
Title: Re: Looking for mod Subversion (mod_svn) 1.8.11 VC11, X64
Post by: pgd on January 12, 2015, 10:38:23 AM
Quote from: mario on January 11, 2015, 06:40:39 PM
The binaries are now on the download page

Thank you very much!
I will install them later today.
Text only | Text with Images