oss-sec mailing list archives
Re: CVE request for subversion
From: Josh Bressers <bressers () redhat com>
Date: Wed, 5 Jan 2011 11:09:43 -0500 (EST)
----- Original Message -----
On Tue, Jan 4, 2011 at 10:02 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:Hello Kurt, Josh, vendors, Josh Bressers wrote:----- Original Message -----Unspecified vulnerability in the server component in Apache Subversion 1.6.x before 1.6.15 allows remote attackers to cause a denial of service via unknown vectors, related to a "several bug fixes, including two which can cause client-initiated crashes on the server." [1] http://svn.haxx.se/dev/archive-2010-11/0475.shtmlCc-ed Hyrum to shed more light into this one. [1] mentions two issues: <begin quote> ... several bug fixes, including two which can cause client-initiated crashes on the server. </end quote> Further look at: [2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES suggest: A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)" being the first one. Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1033166 and after discussion with Joe Orton, Joe suggested: B, * fix server-side memory leaks triggered by 'blame -g' (r1032808) References: http://svn.haxx.se/dev/archive-2010-11/0102.shtml Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1032808 being the second one as denial of service attack (by memory consumption) against svnserve. Questions: ---------- Hyrum, could you confirm A, and B, issues are those two, mentioned in [2] to be able to cause client-initiated crashes on the server?I can confirm that A and B are the two issues mentioned in [2].I admit, this isn't obvious, so let's use CVE-2010-4539 for now. We can split it if needed once more information is known.Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can we consider CVE-2010-4539 to be a CVE identifier for A, issue and request yet another / second one for B, issue?We didn't initially reserve CVEs for these vulnerabilities, but will be happy to update our documentation to reflect them. (See http://subversion.apache.org/security/ ) The two issues really are orthogonal, so B should probably not be included in a CVE for A. I've CC'd dev () subversion apache org to help coordinate advisory authoring.
OK, let's split the CVE id then. So for A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)" Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1033166 Let's use CVE-2010-4539. For B, * fix server-side memory leaks triggered by 'blame -g' (r1032808) References: http://svn.haxx.se/dev/archive-2010-11/0102.shtml Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1032808 Let's use CVE-2010-4644. Thanks. -- JB
Current thread:
- CVE request for subversion Kurt Seifried (Jan 02)
- Re: CVE request for subversion Josh Bressers (Jan 03)
- Re: CVE request for subversion Jan Lieskovsky (Jan 04)
- Re: CVE request for subversion Hyrum Wright (Jan 04)
- Re: CVE request for subversion Josh Bressers (Jan 05)
- Re: CVE request for subversion Hyrum K Wright (Jan 08)
- Re: CVE request for subversion Kurt Seifried (Jan 08)
- Re: CVE request for subversion Jan Lieskovsky (Jan 04)
- Re: CVE request for subversion Josh Bressers (Jan 03)