Date: Wed, 5 Jan 2011 11:09:43 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kurt@...fried.org>, "Steven M. Christey" <coley@...us.mitre.org>, Joe Orton <jorton@...hat.com>, Subversion Development <dev@...version.apache.org> Subject: Re: CVE request for subversion ----- Original Message ----- > On Tue, Jan 4, 2011 at 10:02 AM, Jan Lieskovsky <jlieskov@...hat.com> > wrote: > > Hello Kurt, Josh, vendors, > > > > Josh Bressers wrote: > >> > >> ----- Original Message ----- > >>> > >>> Unspecified vulnerability in the server component in Apache > >>> Subversion > >>> 1.6.x before 1.6.15 allows remote attackers to cause a denial of > >>> service via unknown vectors, related to a "several bug fixes, > >>> including two which can cause client-initiated crashes on the > >>> server." > >>> > >>>  http://svn.haxx.se/dev/archive-2010-11/0475.shtml > > > > Cc-ed Hyrum to shed more light into this one.  mentions two > > issues: > > <begin quote> > > ... > > several bug fixes, including two which can cause client-initiated > > crashes on the server. > > </end quote> > > > > Further look at: > >  http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES > > > > suggest: > > > > A, "* prevent crash in mod_dav_svn when using SVNParentPath > > (r1033166)" > > being the first one. > > Upstream changeset: > > http://svn.apache.org/viewvc?view=revision&revision=1033166 > > > > and after discussion with Joe Orton, Joe suggested: > > > > B, * fix server-side memory leaks triggered by 'blame -g' (r1032808) > > References: > > http://svn.haxx.se/dev/archive-2010-11/0102.shtml > > Upstream changeset: > > http://svn.apache.org/viewvc?view=revision&revision=1032808 > > > > being the second one as denial of service attack (by memory > > consumption) > > against > > svnserve. > > > > Questions: > > ---------- > > Hyrum, could you confirm A, and B, issues are those two, mentioned > > in  > > to be able to cause client-initiated crashes on the server? > > I can confirm that A and B are the two issues mentioned in . > > >> I admit, this isn't obvious, so let's use CVE-2010-4539 for now. > >> We can split it if needed once more information is known. > > > > Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can > > we consider CVE-2010-4539 to be a CVE identifier for A, issue > > and request yet another / second one for B, issue? > > We didn't initially reserve CVEs for these vulnerabilities, but will > be happy to update our documentation to reflect them. (See > http://subversion.apache.org/security/ ) The two issues really are > orthogonal, so B should probably not be included in a CVE for A. > > I've CC'd dev@...version.apache.org to help coordinate advisory > authoring. > OK, let's split the CVE id then. So for A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)" Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1033166 Let's use CVE-2010-4539. For B, * fix server-side memory leaks triggered by 'blame -g' (r1032808) References: http://svn.haxx.se/dev/archive-2010-11/0102.shtml Upstream changeset: http://svn.apache.org/viewvc?view=revision&revision=1032808 Let's use CVE-2010-4644. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ