|Summary:||CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jorton, jrusnack, security-response-team, vdanen|
|Fixed In Version:||subversion 1.7.18, subversion 1.8.10||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-09-10 23:26:47 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1128884|
Description Murray McAllister 2014-08-06 04:12:01 UTC
It was reported that Subversion's Serf RA layer did not correctly validate SSL certificates containing wildcards. A certificate that falls within the wildcard range would be accepted as a valid, possibly leading to man-in-the-middle attacks. This issue only affected Subversion clients that use Serf. Neon, which is used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not affected.
Comment 2 Tomas Hoger 2014-08-06 08:43:28 UTC
Created attachment 924402 [details] Upstream advisory draft
Comment 3 Tomas Hoger 2014-08-06 08:43:56 UTC
Created attachment 924403 [details] Patch against subversion 1.7.17
Comment 4 Tomas Hoger 2014-08-06 08:44:22 UTC
Created attachment 924404 [details] Patch against subversion 1.8.9
Comment 5 Tomas Hoger 2014-08-06 09:08:05 UTC
Note that the above patches introduce one other unrelated change - if any Subject Alternate Name is listed in the certificate, the Common Name in the certificate subject will no longer be checked. This is consistent with the HTTPS RFC 2818, section 3.1 (http://tools.ietf.org/html/rfc2818#section-3.1). However, this was not enforced prior to this fix, and may not be enforced by all TLS/SSL libraries. Hence the change may cause a certificate to be rejected even if it was accepted previously, and is accepted by other tools The solution is to ensure that hostname listed in Common Name is also listed as Subject Alternate Name whenever any Subject Alternate Name is used.
Comment 6 Tomas Hoger 2014-08-06 09:10:51 UTC
Acknowledgment: Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Ben Reser of WANdisco as the original reporter. Statement: Not vulnerable. This issue did not the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they do not use the Serf RA layer.
Comment 7 Tomas Hoger 2014-08-06 09:13:38 UTC
(In reply to Murray McAllister from comment #0) > This issue only affected Subversion clients that use Serf. Neon, which is > used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not > affected. The subversion in Fedora 19 and earlier do not use Serf and use Neon. Hence they were not affected by this issue. Fedora 20 and later includes subversion 1.8, which no longer supports Neon and uses Serf instead. Therefore, packages in Fedora 20 and later are affected. The change from Neon to Serf was done as part of rebase to 1.8: http://pkgs.fedoraproject.org/cgit/subversion.git/commit/?h=f20&id=83f457f
Comment 8 Vincent Danen 2014-08-11 18:20:39 UTC
External References: http://subversion.apache.org/security/CVE-2014-3522-advisory.txt
Comment 9 Vincent Danen 2014-08-11 18:22:51 UTC
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1128884]
Comment 10 Vincent Danen 2014-09-10 23:26:47 UTC
subversion-1.8.10-1.fc20 was pushed to the Fedora 20 stable repository on 2014-08-28.