It was found that authentication against the Cyrus SASL library would permit a remote user to specify a realm string which is a prefix of the expected realm string. Consequently, a user who has valid credentials to a realm, whose name is a prefix of the repository's realm, would be able to successfully authenticate to the repository. External References: https://subversion.apache.org/security/CVE-2016-2167-advisory.txt
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1331687]