Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 22 Jan 2019 22:57:15 -0500
From: Troy Curtis <>
Subject: [CVE-2018-11803] Apache Subversion Denial of Service Vulnerability

This is a security notification for Apache Subversion HTTP Servers:

Severity: Medium
Affected Versions: Apache Subversion 1.11.0, 1.10.0 to 1.10.3

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 
to 1.10.3 will crash after dereferencing an uninitialized pointer if the 
client omits the root path in a recursive directory listing operation. 
This issue can be triggered by any client on Subversion repositories 
configured for anonymous read access. If read access requires 
authentication, a denial of service attack can only be performed by an 
authenticated user.

The Subversion releases 1.10.4 and 1.11.1 contain the fixes for this 
vulnerability and are available immediately at:

Additional details, including patches for 1.10.3 and 1.11.0 can be found at:

We encourage users of Subversion to upgrade to the latest appropriate 
version as soon as reasonable.

- The Subversion Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.