It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository. If an attacker has control over HTTP responses sent to a Subversion client, they can cause denial-of-service conditions on the client by injecting an XML bomb into the response. Upstream bug: https://issues.apache.org/jira/browse/SVN-4630
Acknowledgments: Name: Florian Weimer (Red Hat)
Created attachment 1222728 [details] CVE-2016-8734-1.8.16.patch
Created attachment 1222729 [details] CVE-2016-8734-1.9.4.patch
There are two parts to this vulnerability: server-side and client-side. The client side vulnerability only affects subversion when built with the Serf WebDav library, not with the Neon WebDav library. Subversion for Red Hat Enterprise Linux 5, 6 and 7 is built with Neon, so it is not affected by the client-side vulnerability. The server side vulnerability exists in mod_dontdothat, which was only moved from contrib into the standard release in subversion 1.7.3. Red Hat Enterprise Linux 5 and 6 do not build or ship mod_dontdothat.
Mitigation: Only Apache+Subversion servers that have the "DontDoThatConfigFile" configuration option present are affected by this flaw. This option is not enabled in default httpd or mod_dav_svn configuration as shipped with Red Hat Enterprise Linux.
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1399871]