Security Information / 2013 / Security Information -- DSA-2703-1 subversion

Debian Security Advisory

DSA-2703-1 subversion -- several vulnerabilities

Date Reported:

09 Jun 2013

Affected Packages:

subversion

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 711033.
In Mitre's CVE dictionary: CVE-2013-1968, CVE-2013-2112.

More information:

Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2013-1968

  Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository.

• CVE-2013-2112

  Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.6.12dfsg-7.

For the stable distribution (wheezy), these problems have been fixed in version 1.6.17dfsg-4+deb7u3.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your subversion packages.