It was reported that Subversion's Serf RA layer did not correctly validate SSL certificates containing wildcards. A certificate that falls within the wildcard range would be accepted as a valid, possibly leading to man-in-the-middle attacks. This issue only affected Subversion clients that use Serf. Neon, which is used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not affected.
Created attachment 924402 [details] Upstream advisory draft
Created attachment 924403 [details] Patch against subversion 1.7.17
Created attachment 924404 [details] Patch against subversion 1.8.9
Note that the above patches introduce one other unrelated change - if any Subject Alternate Name is listed in the certificate, the Common Name in the certificate subject will no longer be checked. This is consistent with the HTTPS RFC 2818, section 3.1 (http://tools.ietf.org/html/rfc2818#section-3.1). However, this was not enforced prior to this fix, and may not be enforced by all TLS/SSL libraries. Hence the change may cause a certificate to be rejected even if it was accepted previously, and is accepted by other tools The solution is to ensure that hostname listed in Common Name is also listed as Subject Alternate Name whenever any Subject Alternate Name is used.
Acknowledgment: Red Hat would like to thank the Subversion project for reporting this issue. Upstream acknowledges Ben Reser of WANdisco as the original reporter. Statement: Not vulnerable. This issue did not the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they do not use the Serf RA layer.
(In reply to Murray McAllister from comment #0) > This issue only affected Subversion clients that use Serf. Neon, which is > used by Subversion clients in Red Hat Enterprise Linux 5, 6, and 7, is not > affected. The subversion in Fedora 19 and earlier do not use Serf and use Neon. Hence they were not affected by this issue. Fedora 20 and later includes subversion 1.8, which no longer supports Neon and uses Serf instead. Therefore, packages in Fedora 20 and later are affected. The change from Neon to Serf was done as part of rebase to 1.8: http://pkgs.fedoraproject.org/cgit/subversion.git/commit/?h=f20&id=83f457f
External References: http://subversion.apache.org/security/CVE-2014-3522-advisory.txt
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1128884]
subversion-1.8.10-1.fc20 was pushed to the Fedora 20 stable repository on 2014-08-28.