Bug 1127063 (CVE-2014-3522)
| Summary: | CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | jorton, jrusnack, security-response-team, vdanen | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | subversion 1.7.18, subversion 1.8.10 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-09-10 23:26:47 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1128884 | ||||||||||
| Bug Blocks: | 1127064 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Murray McAllister
2014-08-06 04:12:01 UTC
Created attachment 924402 [details]
Upstream advisory draft
Created attachment 924403 [details]
Patch against subversion 1.7.17
Created attachment 924404 [details]
Patch against subversion 1.8.9
Note that the above patches introduce one other unrelated change - if any Subject Alternate Name is listed in the certificate, the Common Name in the certificate subject will no longer be checked. This is consistent with the HTTPS RFC 2818, section 3.1 (http://tools.ietf.org/html/rfc2818#section-3.1). However, this was not enforced prior to this fix, and may not be enforced by all TLS/SSL libraries. Hence the change may cause a certificate to be rejected even if it was accepted previously, and is accepted by other tools The solution is to ensure that hostname listed in Common Name is also listed as Subject Alternate Name whenever any Subject Alternate Name is used. Acknowledgment: Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Ben Reser of WANdisco as the original reporter. Statement: Not vulnerable. This issue did not the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they do not use the Serf RA layer. (In reply to Murray McAllister from comment #0) > This issue only affected Subversion clients that use Serf. Neon, which is > used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not > affected. The subversion in Fedora 19 and earlier do not use Serf and use Neon. Hence they were not affected by this issue. Fedora 20 and later includes subversion 1.8, which no longer supports Neon and uses Serf instead. Therefore, packages in Fedora 20 and later are affected. The change from Neon to Serf was done as part of rebase to 1.8: http://pkgs.fedoraproject.org/cgit/subversion.git/commit/?h=f20&id=83f457f External References: http://subversion.apache.org/security/CVE-2014-3522-advisory.txt Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1128884] subversion-1.8.10-1.fc20 was pushed to the Fedora 20 stable repository on 2014-08-28. |