1062042 – (CVE-2014-0032) CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on

Bug 1062042 (CVE-2014-0032) - CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on

Summary: CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests wi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-0032
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1063203 1063204 1064216 1064218 1064221 1064222
Blocks:	1062046
TreeView+	depends on / blocked

Reported:	2014-02-06 05:13 UTC by Murray McAllister
Modified:	2021-02-17 06:54 UTC (History)
CC List:	7 users (show)
Fixed In Version:	subversion 1.7.15, subversion 1.8.6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-21 09:12:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Novell	862459	0	None	None	None	Never
Red Hat Product Errata	RHSA-2014:0255	0	normal	SHIPPED_LIVE	Moderate: subversion security update	2014-03-06 00:00:14 UTC

Description Murray McAllister 2014-02-06 05:13:38 UTC

A mod_dav_svn crash was reported when SVNListParentPath is on:

http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6_wNzhEf7pWM=NiavGcobqvUuyhKyAA@mail.gmail.com%3E

Certain requests could cause mod_dav_svn to crash.

This has been corrected in version 1.7.15:

https://svn.apache.org/repos/asf/subversion/branches/1.7.x/CHANGES

Upstream fix for CVE-2014-0032:

http://svn.apache.org/viewvc?view=revision&revision=r1557320

Comment 2 Huzaifa S. Sidhpurwala 2014-02-10 09:33:46 UTC

This issue affects the version of subversion as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 4 Huzaifa S. Sidhpurwala 2014-02-10 09:35:00 UTC

Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1063204]

Comment 12 Vincent Danen 2014-02-20 18:23:15 UTC

External References:

http://subversion.apache.org/security/CVE-2014-0032-advisory.txt

Comment 19 Fedora Update System 2014-03-15 15:17:26 UTC

subversion-1.8.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2014-03-15 15:19:23 UTC

subversion-1.7.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Tomas Hoger 2014-10-21 09:12:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0255 https://rhn.redhat.com/errata/RHSA-2014-0255.html

Note You need to log in before you can comment on or make changes to this bug.