Bug 1127063 (CVE-2014-3522)

Summary: CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, jrusnack, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subversion 1.7.18, subversion 1.8.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-10 23:26:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1128884    
Bug Blocks: 1127064    
Attachments:
Description Flags
Upstream advisory draft
none
Patch against subversion 1.7.17
none
Patch against subversion 1.8.9 none

Description Murray McAllister 2014-08-06 04:12:01 UTC
It was reported that Subversion's Serf RA layer did not correctly validate SSL certificates containing wildcards. A certificate that falls within the wildcard range would be accepted as a valid, possibly leading to man-in-the-middle attacks.

This issue only affected Subversion clients that use Serf. Neon, which is used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not affected.

Comment 2 Tomas Hoger 2014-08-06 08:43:28 UTC
Created attachment 924402 [details]
Upstream advisory draft

Comment 3 Tomas Hoger 2014-08-06 08:43:56 UTC
Created attachment 924403 [details]
Patch against subversion 1.7.17

Comment 4 Tomas Hoger 2014-08-06 08:44:22 UTC
Created attachment 924404 [details]
Patch against subversion 1.8.9

Comment 5 Tomas Hoger 2014-08-06 09:08:05 UTC
Note that the above patches introduce one other unrelated change - if any Subject Alternate Name is listed in the certificate, the Common Name in the certificate subject will no longer be checked.  This is consistent with the HTTPS RFC 2818, section 3.1 (http://tools.ietf.org/html/rfc2818#section-3.1).

However, this was not enforced prior to this fix, and may not be enforced by all TLS/SSL libraries.  Hence the change may cause a certificate to be rejected even if it was accepted previously, and is accepted by other tools

The solution is to ensure that hostname listed in Common Name is also listed as Subject Alternate Name whenever any Subject Alternate Name is used.

Comment 6 Tomas Hoger 2014-08-06 09:10:51 UTC
Acknowledgment:

Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Ben Reser of WANdisco as the original reporter.

Statement:

Not vulnerable. This issue did not the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they do not use the Serf RA layer.

Comment 7 Tomas Hoger 2014-08-06 09:13:38 UTC
(In reply to Murray McAllister from comment #0)
> This issue only affected Subversion clients that use Serf. Neon, which is
> used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not
> affected.

The subversion in Fedora 19 and earlier do not use Serf and use Neon.  Hence they were not affected by this issue.  Fedora 20 and later includes subversion 1.8, which no longer supports Neon and uses Serf instead.  Therefore, packages in Fedora 20 and later are affected.

The change from Neon to Serf was done as part of rebase to 1.8:
http://pkgs.fedoraproject.org/cgit/subversion.git/commit/?h=f20&id=83f457f

Comment 8 Vincent Danen 2014-08-11 18:20:39 UTC
External References:

http://subversion.apache.org/security/CVE-2014-3522-advisory.txt

Comment 9 Vincent Danen 2014-08-11 18:22:51 UTC
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1128884]

Comment 10 Vincent Danen 2014-09-10 23:26:47 UTC
subversion-1.8.10-1.fc20 was pushed to the Fedora 20 stable repository on 2014-08-28.