Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3315 to the following vulnerability: authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3315 [2] http://security-tracker.debian.org/tracker/CVE-2010-3315 [3] http://subversion.apache.org/security/CVE-2010-3315-advisory.txt [4] http://secunia.com/advisories/41652
This issue did NOT affect the versions of the subversion package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the subversion package, as shipped with Fedora release of 12 and 13.
Created attachment 451684 [details] Local copy of upstream CVE-2010-3315 advisory
Doesn't this affect the version of subversion included in RHEL 6? The package's changelog suggests this hasn't been fixed.
Created subversion tracking bugs for this issue Affects: fedora-all [bug 672680]
Links to the upstream fix, and the bug in the issue tracker: http://svn.apache.org/viewvc?view=revision&revision=1000060 http://subversion.tigris.org/issues/show_bug.cgi?id=3695
(In reply to comment #6) > Doesn't this affect the version of subversion included in RHEL 6? The package's > changelog suggests this hasn't been fixed. It does affect RHEL6. We are currently working on updates that will resolve this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0258 https://rhn.redhat.com/errata/RHSA-2011-0258.html