Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-136-1 websvn

Debian Security Advisory

DLA-136-1 websvn -- LTS security update

Date Reported:

24 Jan 2015

Affected Packages:

websvn

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 775682.
In Mitre's CVE dictionary: CVE-2013-6892.

More information:

James Clawson discovered that websvn, a web viewer for Subversion repositories, would follow symlinks in a repository when presenting a file for download. An attacker with repository write access could thereby access any file on disk readable by the user the webserver runs as.

For Debian 6 Squeeze, these issues have been fixed in websvn version 2.3.3-1+deb6u1