Bug 1247249 (CVE-2015-3184) - CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4
Summary: CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1242733 1250879 1252262
Blocks: 1247253
TreeView+ depends on / blocked
 
Reported: 2015-07-27 15:58 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:35 UTC (History)
5 users (show)

Fixed In Version: Subversion 1.8.14, Subversion 1.7.21
Doc Type: Bug Fix
Doc Text:
It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users.
Clone Of:
Environment:
Last Closed: 2015-09-15 05:59:16 UTC


Attachments (Terms of Use)
svn1.7.20.patch (113.52 KB, text/plain)
2015-07-27 16:05 UTC, Vasyl Kaigorodov
no flags Details
svn1.8.patch (113.74 KB, text/plain)
2015-07-27 16:05 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1742 normal SHIPPED_LIVE Moderate: subversion security update 2015-09-08 17:09:57 UTC

Description Vasyl Kaigorodov 2015-07-27 15:58:38 UTC
Below is the upstream report about a security issue in Subversion:

Summary
=======

  Subversion's mod_authz_svn does not properly restrict anonymous
  access in some mixed anonymous/authenticated environments when using
  Apache httpd 2.4.  The result is that anonymous access may be possible
  to files for which only authenticated access should be possible.

Known vulnerable
================

  CVE-2015-3185 Apache httpd 2.4.0 to 2.4.12
  CVE-2015-3184 Apache Subversion 1.8.0 to 1.8.13
  CVE-2015-3184 Apache Subversion 1.7.0 to 1.7.20

  Servers are vulnerable if either httpd or Subversion is as listed.

  Subversion 1.6 does not build with httpd 2.4 and servers using
  httpd 2.2 are not vulnerable.  Servers that are configured to deny
  anonymous access are not vulnerable.

Known fixed
===========

  Apache httpd 2.4.13
  Apache Subversion 1.8.14 and 1.7.21

  Both httpd and Subversion need to be updated.

Details
=======

  If you have a Subversion repository configured for anonymous read
  that has mod_authz_svn configured such that some portion of the
  repository is hidden from an anonymous user, then in certain cases
  when Subversion is used with Apache httpd 2.4.x the file contents of
  the repository may be exposed to someone who knows the path name
  within the repository.  The protected files and directories will not
  show on directory listings.  Protected directories that do not show
  in their parent will return an empty directory listing rather than a
  403 error.  Protected files will return the full content of the
  file.  Specifically the conditions required for this to happen is
  that there needs to be a <Directory> block for the DocumentRoot
  allowing access to everyone (e.g. Require all granted) and "Satisfy
  any" must not be set.  This sort of configuration is included in the
  default httpd.conf that `make install` provides and is fairly
  standard.

Severity
========

  CVSSv2 Base Score: 4.3
  CVSSv2 Base Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

  The repository needs to be configured with mixed anonymous and
  authenticated path-based authz and the the attacker needs to know
  the paths to files in the repository that require authentication.

Acknowledgements:

Red Hat would like to thank Apache Software Foundation for reporting this issue. Upstream acknowledges C. Michael Pilato, CollabNet, as the original reporter.

Statement:

This issue did not affect versions of subversion as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 1 Vasyl Kaigorodov 2015-07-27 16:05:12 UTC
Created attachment 1056673 [details]
svn1.7.20.patch

Comment 2 Vasyl Kaigorodov 2015-07-27 16:05:15 UTC
Created attachment 1056674 [details]
svn1.8.patch

Comment 5 Tomas Hoger 2015-07-29 14:39:11 UTC
The fix for this issue depends on httpd fix for CVE-2015-3185 (bug 1243888).

Comment 7 Martin Prpič 2015-08-06 08:29:49 UTC
External References:

http://subversion.apache.org/security/CVE-2015-3184-advisory.txt

Comment 8 Martin Prpič 2015-08-06 08:33:17 UTC
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1250879]

Comment 14 errata-xmlrpc 2015-09-08 13:10:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html

Comment 15 Fedora Update System 2016-02-29 22:21:56 UTC
subversion-1.8.15-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.