Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Jan 2011 10:19:39 -0500
From: Hyrum Wright <hwright@...che.org>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Kurt Seifried <kurt@...fried.org>, Josh Bressers <bressers@...hat.com>, 
	"Steven M. Christey" <coley@...us.mitre.org>, Joe Orton <jorton@...hat.com>, 
	Subversion Development <dev@...version.apache.org>
Subject: Re: CVE request for subversion

On Tue, Jan 4, 2011 at 10:02 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:
> Hello Kurt, Josh, vendors,
>
> Josh Bressers wrote:
>>
>> ----- Original Message -----
>>>
>>> Unspecified vulnerability in the server component in Apache Subversion
>>> 1.6.x before 1.6.15 allows remote attackers to cause a denial of
>>> service via unknown vectors, related to a "several bug fixes,
>>> including two which can cause client-initiated crashes on the server."
>>>
>>> [1] http://svn.haxx.se/dev/archive-2010-11/0475.shtml
>
>  Cc-ed Hyrum to shed more light into this one. [1] mentions two issues:
> <begin quote>
> ...
> several bug fixes, including two which can cause client-initiated
> crashes on the server.
> </end quote>
>
> Further look at:
> [2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES
>
> suggest:
>
> A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)"
> being the first one.
>   Upstream changeset:
>   http://svn.apache.org/viewvc?view=revision&revision=1033166
>
> and after discussion with Joe Orton, Joe suggested:
>
> B, * fix server-side memory leaks triggered by 'blame -g' (r1032808)
>   References:
>   http://svn.haxx.se/dev/archive-2010-11/0102.shtml
>   Upstream changeset:
>   http://svn.apache.org/viewvc?view=revision&revision=1032808
>
>   being the second one as denial of service attack (by memory consumption)
> against
>   svnserve.
>
> Questions:
> ----------
> Hyrum, could you confirm A, and B, issues are those two, mentioned in [2]
> to be able to cause client-initiated crashes on the server?

I can confirm that A and B are the two issues mentioned in [2].

>> I admit, this isn't obvious, so let's use CVE-2010-4539 for now.
>> We can split it if needed once more information is known.
>
> Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can
> we consider CVE-2010-4539 to be a CVE identifier for A, issue
> and request yet another / second one for B, issue?

We didn't initially reserve CVEs for these vulnerabilities, but will
be happy to update our documentation to reflect them.  (See
http://subversion.apache.org/security/ )   The two issues really are
orthogonal, so B should probably  not be included in a CVE for A.

I've CC'd dev@...version.apache.org to help coordinate advisory authoring.

-Hyrum

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ