Bug 1127063 (CVE-2014-3522) - CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer
Summary: CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (re...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3522
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1128884
Blocks: 1127064
TreeView+ depends on / blocked
 
Reported: 2014-08-06 04:12 UTC by Murray McAllister
Modified: 2019-09-29 13:20 UTC (History)
4 users (show)

Fixed In Version: subversion 1.7.18, subversion 1.8.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 23:26:47 UTC


Attachments (Terms of Use)
Upstream advisory draft (5.78 KB, text/plain)
2014-08-06 08:43 UTC, Tomas Hoger
no flags Details
Patch against subversion 1.7.17 (15.99 KB, patch)
2014-08-06 08:43 UTC, Tomas Hoger
no flags Details | Diff
Patch against subversion 1.8.9 (16.61 KB, patch)
2014-08-06 08:44 UTC, Tomas Hoger
no flags Details | Diff

Description Murray McAllister 2014-08-06 04:12:01 UTC
It was reported that Subversion's Serf RA layer did not correctly validate SSL certificates containing wildcards. A certificate that falls within the wildcard range would be accepted as a valid, possibly leading to man-in-the-middle attacks.

This issue only affected Subversion clients that use Serf. Neon, which is used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not affected.

Comment 2 Tomas Hoger 2014-08-06 08:43:28 UTC
Created attachment 924402 [details]
Upstream advisory draft

Comment 3 Tomas Hoger 2014-08-06 08:43:56 UTC
Created attachment 924403 [details]
Patch against subversion 1.7.17

Comment 4 Tomas Hoger 2014-08-06 08:44:22 UTC
Created attachment 924404 [details]
Patch against subversion 1.8.9

Comment 5 Tomas Hoger 2014-08-06 09:08:05 UTC
Note that the above patches introduce one other unrelated change - if any Subject Alternate Name is listed in the certificate, the Common Name in the certificate subject will no longer be checked.  This is consistent with the HTTPS RFC 2818, section 3.1 (http://tools.ietf.org/html/rfc2818#section-3.1).

However, this was not enforced prior to this fix, and may not be enforced by all TLS/SSL libraries.  Hence the change may cause a certificate to be rejected even if it was accepted previously, and is accepted by other tools

The solution is to ensure that hostname listed in Common Name is also listed as Subject Alternate Name whenever any Subject Alternate Name is used.

Comment 6 Tomas Hoger 2014-08-06 09:10:51 UTC
Acknowledgment:

Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Ben Reser of WANdisco as the original reporter.

Statement:

Not vulnerable. This issue did not the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they do not use the Serf RA layer.

Comment 7 Tomas Hoger 2014-08-06 09:13:38 UTC
(In reply to Murray McAllister from comment #0)
> This issue only affected Subversion clients that use Serf. Neon, which is
> used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not
> affected.

The subversion in Fedora 19 and earlier do not use Serf and use Neon.  Hence they were not affected by this issue.  Fedora 20 and later includes subversion 1.8, which no longer supports Neon and uses Serf instead.  Therefore, packages in Fedora 20 and later are affected.

The change from Neon to Serf was done as part of rebase to 1.8:
http://pkgs.fedoraproject.org/cgit/subversion.git/commit/?h=f20&id=83f457f

Comment 8 Vincent Danen 2014-08-11 18:20:39 UTC
External References:

http://subversion.apache.org/security/CVE-2014-3522-advisory.txt

Comment 9 Vincent Danen 2014-08-11 18:22:51 UTC
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1128884]

Comment 10 Vincent Danen 2014-09-10 23:26:47 UTC
subversion-1.8.10-1.fc20 was pushed to the Fedora 20 stable repository on 2014-08-28.


Note You need to log in before you can comment on or make changes to this bug.