A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument. A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Acknowledgments: Name: the Subversion Team
Mitigation: There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1480335]
External Reference: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480