Bug 1033995 (CVE-2013-4505)

Summary: CVE-2013-4505 subversion: mod_dontdothat does not block requests from certain clients
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, jorton, pfrields, security-response-team, vanmeeuwen+fedora, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subversion 1.7.14, subversion 1.8.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-11 10:20:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033452, 1034377    
Bug Blocks: 1033435    

Description Murray McAllister 2013-11-25 02:15:58 UTC 
It was found that mod_dontdothat did not block requests from certain clients (such as Serf-based clients). This could allow a client to bypass intended mod_dontdothat restrictions and use more resources on the server than expected. This issue affected mod_dontdothat versions 1.4.0 to 1.7.13, and 1.8.0 to 1.8.4. It has been corrected in versions 1.7.14 and 1.8.5.

mod_dontdothat is included in the subversion sources for Red Hat Enterprise Linux 5 and 6; however, it is not built and shipped for those products, leaving them unaffected by this flaw.

Acknowledgements:

Red Hat would like to thank the Apache Subversion project for reporting this issue. Upstream acknowledges Ben Reser as the original reporter.
Comment 2 Vincent Danen 2013-11-25 17:17:15 UTC 
External References:

http://subversion.apache.org/security/CVE-2013-4505-advisory.txt
Comment 3 Vincent Danen 2013-11-25 17:21:24 UTC 
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1034377]
Comment 4 Murray McAllister 2013-11-26 05:01:04 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of Subversion in Red Hat Enterprise Linux 5 and 6.
Comment 5 Fedora Update System 2013-12-11 02:00:07 UTC 
subversion-1.7.14-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-12-11 02:00:34 UTC 
subversion-1.7.14-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-12-31 19:02:52 UTC 
subversion-1.8.5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.