Red Hat Bugzilla – Bug 1247249
CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4
Last modified: 2016-02-29 17:21:56 EST
Below is the upstream report about a security issue in Subversion:
Subversion's mod_authz_svn does not properly restrict anonymous
access in some mixed anonymous/authenticated environments when using
Apache httpd 2.4. The result is that anonymous access may be possible
to files for which only authenticated access should be possible.
CVE-2015-3185 Apache httpd 2.4.0 to 2.4.12
CVE-2015-3184 Apache Subversion 1.8.0 to 1.8.13
CVE-2015-3184 Apache Subversion 1.7.0 to 1.7.20
Servers are vulnerable if either httpd or Subversion is as listed.
Subversion 1.6 does not build with httpd 2.4 and servers using
httpd 2.2 are not vulnerable. Servers that are configured to deny
anonymous access are not vulnerable.
Apache httpd 2.4.13
Apache Subversion 1.8.14 and 1.7.21
Both httpd and Subversion need to be updated.
If you have a Subversion repository configured for anonymous read
that has mod_authz_svn configured such that some portion of the
repository is hidden from an anonymous user, then in certain cases
when Subversion is used with Apache httpd 2.4.x the file contents of
the repository may be exposed to someone who knows the path name
within the repository. The protected files and directories will not
show on directory listings. Protected directories that do not show
in their parent will return an empty directory listing rather than a
403 error. Protected files will return the full content of the
file. Specifically the conditions required for this to happen is
that there needs to be a <Directory> block for the DocumentRoot
allowing access to everyone (e.g. Require all granted) and "Satisfy
any" must not be set. This sort of configuration is included in the
default httpd.conf that `make install` provides and is fairly
CVSSv2 Base Score: 4.3
CVSSv2 Base Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
The repository needs to be configured with mixed anonymous and
authenticated path-based authz and the the attacker needs to know
the paths to files in the repository that require authentication.
Red Hat would like to thank Apache Software Foundation for reporting this issue. Upstream acknowledges C. Michael Pilato, CollabNet, as the original reporter.
This issue did not affect versions of subversion as shipped with Red Hat Enterprise Linux 5 and 6.
Created attachment 1056673 [details]
Created attachment 1056674 [details]
The fix for this issue depends on httpd fix for CVE-2015-3185 (bug 1243888).
Created subversion tracking bugs for this issue:
Affects: fedora-all [bug 1250879]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html
subversion-1.8.15-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.