[gentoo-announce] [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn - gentoo-announce

From:	"Joshua J. Berry" <condordes@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn
Date:	Mon, 26 Jul 2004 18:30:31
Message-Id:	`20040726182637.GA8663@deneb.condordes.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200407-20

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: Subversion: Vulnerability in mod_authz_svn

9

      Date: July 26, 2004

10

      Bugs: #57747

11

        ID: 200407-20

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Users with write access to parts of a Subversion repository may bypass

19

read restrictions in mod_authz_svn and read any part of the repository

20

they wish.

21

22

Background

23

==========

24

25

Subversion is an advanced version control system, similar to CVS, which

26

supports additional functionality such as the ability to move, copy and

27

delete files and directories. A Subversion server may be run as an

28

Apache module, a standalone server (svnserve), or on-demand over ssh (a

29

la CVS' ":ext:" protocol). The mod_authz_svn Apache module works with

30

Subversion in Apache to limit access to parts of Subversion

31

repositories based on policy set by the administrator.

32

33

Affected packages

34

=================

35

36

    -------------------------------------------------------------------

37

     Package              /   Vulnerable   /                Unaffected

38

    -------------------------------------------------------------------

39

  1  dev-util/subversion      <= 1.0.4-r1                     >= 1.0.6

40

41

Description

42

===========

43

44

Users with write access to part of a Subversion repository may bypass

45

read restrictions on any part of that repository. This can be done

46

using an "svn copy" command to copy the portion of a repository the

47

user wishes to read into an area where they have write access.

48

49

Since copies are versioned, any such copy attempts will be readily

50

apparent.

51

52

Impact

53

======

54

55

This is a low-risk vulnerability. It affects only users of Subversion

56

who are running servers inside Apache and using mod_authz_svn.

57

Additionally, this vulnerability may be exploited only by users with

58

write access to some portion of a repository.

59

60

Workaround

61

==========

62

63

Keep sensitive content separated into different Subversion

64

repositories, or disable the Apache Subversion server and use svnserve

65

instead.

66

67

Resolution

68

==========

69

70

All Subversion users should upgrade to the latest available version:

71

72

    # emerge sync

73

74

    # emerge -pv ">=dev-util/subversion-1.0.6"

75

    # emerve ">=dev-util/subversion-1.0.6"

76

77

References

78

==========

79

80

  [ 1 ] ChangeLog for Subversion 1.0.6

81

        http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES

82

83

Availability

84

============

85

86

This GLSA and any updates to it are available for viewing at

87

the Gentoo Security Website:

88

89

    http://security.gentoo.org/glsa/glsa-200407-20.xml

90

91

Concerns?

92

=========

93

94

Security is a primary focus of Gentoo Linux and ensuring the

95

confidentiality and security of our users machines is of utmost

96

importance to us. Any security concerns should be addressed to

97

security@g.o or alternatively, you may file a bug at

98

http://bugs.gentoo.org.

99

100

License

101

=======

102

103

Copyright 2004 Gentoo Foundation, Inc; referenced text

104

belongs to its owner(s).

105

106

The contents of this document are licensed under the

107

Creative Commons - Attribution / Share Alike license.

108

109

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200407-20
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Subversion: Vulnerability in mod_authz_svn
9	Date: July 26, 2004
10	Bugs: #57747
11	ID: 200407-20
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Users with write access to parts of a Subversion repository may bypass
19	read restrictions in mod_authz_svn and read any part of the repository
20	they wish.
21
22	Background
23	==========
24
25	Subversion is an advanced version control system, similar to CVS, which
26	supports additional functionality such as the ability to move, copy and
27	delete files and directories. A Subversion server may be run as an
28	Apache module, a standalone server (svnserve), or on-demand over ssh (a
29	la CVS' ":ext:" protocol). The mod_authz_svn Apache module works with
30	Subversion in Apache to limit access to parts of Subversion
31	repositories based on policy set by the administrator.
32
33	Affected packages
34	=================
35
36	-------------------------------------------------------------------
37	Package / Vulnerable / Unaffected
38	-------------------------------------------------------------------
39	1 dev-util/subversion <= 1.0.4-r1 >= 1.0.6
40
41	Description
42	===========
43
44	Users with write access to part of a Subversion repository may bypass
45	read restrictions on any part of that repository. This can be done
46	using an "svn copy" command to copy the portion of a repository the
47	user wishes to read into an area where they have write access.
48
49	Since copies are versioned, any such copy attempts will be readily
50	apparent.
51
52	Impact
53	======
54
55	This is a low-risk vulnerability. It affects only users of Subversion
56	who are running servers inside Apache and using mod_authz_svn.
57	Additionally, this vulnerability may be exploited only by users with
58	write access to some portion of a repository.
59
60	Workaround
61	==========
62
63	Keep sensitive content separated into different Subversion
64	repositories, or disable the Apache Subversion server and use svnserve
65	instead.
66
67	Resolution
68	==========
69
70	All Subversion users should upgrade to the latest available version:
71
72	# emerge sync
73
74	# emerge -pv ">=dev-util/subversion-1.0.6"
75	# emerve ">=dev-util/subversion-1.0.6"
76
77	References
78	==========
79
80	[ 1 ] ChangeLog for Subversion 1.0.6
81	http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES
82
83	Availability
84	============
85
86	This GLSA and any updates to it are available for viewing at
87	the Gentoo Security Website:
88
89	http://security.gentoo.org/glsa/glsa-200407-20.xml
90
91	Concerns?
92	=========
93
94	Security is a primary focus of Gentoo Linux and ensuring the
95	confidentiality and security of our users machines is of utmost
96	importance to us. Any security concerns should be addressed to
97	security@g.o or alternatively, you may file a bug at
98	http://bugs.gentoo.org.
99
100	License
101	=======
102
103	Copyright 2004 Gentoo Foundation, Inc; referenced text
104	belongs to its owner(s).
105
106	The contents of this document are licensed under the
107	Creative Commons - Attribution / Share Alike license.
108
109	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce