Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Jan 2011 16:02:04 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Kurt Seifried <kurt@...fried.org>, Josh Bressers <bressers@...hat.com>
CC: oss-security <oss-security@...ts.openwall.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Joe Orton <jorton@...hat.com>, Hyrum Wright <hwright@...che.org>
Subject: Re: CVE request for subversion

Hello Kurt, Josh, vendors,

Josh Bressers wrote:
> 
> ----- Original Message -----
>> Unspecified vulnerability in the server component in Apache Subversion
>> 1.6.x before 1.6.15 allows remote attackers to cause a denial of
>> service via unknown vectors, related to a "several bug fixes,
>> including two which can cause client-initiated crashes on the server."
>>
 >> [1] http://svn.haxx.se/dev/archive-2010-11/0475.shtml

   Cc-ed Hyrum to shed more light into this one. [1] mentions two issues:
<begin quote>
...
several bug fixes, including two which can cause client-initiated
crashes on the server.
</end quote>

Further look at:
[2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES

suggest:

A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)" being the first one.
    Upstream changeset:
    http://svn.apache.org/viewvc?view=revision&revision=1033166

and after discussion with Joe Orton, Joe suggested:

B, * fix server-side memory leaks triggered by 'blame -g' (r1032808)
    References:
    http://svn.haxx.se/dev/archive-2010-11/0102.shtml
    Upstream changeset:
    http://svn.apache.org/viewvc?view=revision&revision=1032808

    being the second one as denial of service attack (by memory consumption) against
    svnserve.

Questions:
----------
Hyrum, could you confirm A, and B, issues are those two, mentioned in [2]
to be able to cause client-initiated crashes on the server?

> I admit, this isn't obvious, so let's use CVE-2010-4539 for now.
> We can split it if needed once more information is known.

Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can
we consider CVE-2010-4539 to be a CVE identifier for A, issue
and request yet another / second one for B, issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Thanks.
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ