Nacionalni CERT

Sigurnosni nedostaci programskog paketa subversion

<p>==========================================================================<br />Ubuntu Security Notice USN-3388-1<br />August 11, 2017<br /><br />subversion vulnerabilities<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 17.04<br />- Ubuntu 16.04 LTS<br />- Ubuntu 14.04 LTS<br /><br />Summary:<br /><br />Several security issues were fixed in Subversion.<br /><br />Software Description:<br />- subversion: Advanced version control system<br /><br />Details:<br /><br />Joern Schneeweisz discovered that Subversion did not properly handle<br />host names in 'svn+ssh://' URLs. A remote attacker could use this<br />to construct a subversion repository that when accessed could run<br />arbitrary code with the privileges of the user. (CVE-2017-9800)<br /><br />Daniel Shahaf and James McCoy discovered that Subversion did not<br />properly verify realms when using Cyrus SASL authentication. A<br />remote attacker could use this to possibly bypass intended access<br />restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu<br />16.04 LTS. (CVE-2016-2167)<br /><br />Florian Weimer discovered that Subversion clients did not properly<br />restrict XML entity expansion when accessing http(s):// URLs. A remote<br />attacker could use this to cause a denial of service. This issue only<br />affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8734)<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 17.04:<br /> libsvn1 1.9.5-1ubuntu1.1<br /> subversion 1.9.5-1ubuntu1.1<br /><br />Ubuntu 16.04 LTS:<br /> libapache2-mod-svn 1.9.3-2ubuntu1.1<br /> libapache2-svn 1.9.3-2ubuntu1.1<br /> libsvn1 1.9.3-2ubuntu1.1<br /> subversion 1.9.3-2ubuntu1.1<br /><br />Ubuntu 14.04 LTS:<br /> libapache2-mod-svn 1.8.8-1ubuntu3.3<br /> libapache2-svn 1.8.8-1ubuntu3.3<br /> libsvn1 1.8.8-1ubuntu3.3<br /> subversion 1.8.8-1ubuntu3.3<br /><br />In general, a standard system update will make all the necessary changes.<br /><br />References:<br /> https://www.ubuntu.com/usn/usn-3388-1<br /> CVE-2016-2167, CVE-2016-8734, CVE-2017-9800<br /><br />Package Information:<br /> https://launchpad.net/ubuntu/+source/subversion/1.9.5-1ubuntu1.1<br /> https://launchpad.net/ubuntu/+source/subversion/1.9.3-2ubuntu1.1<br /> https://launchpad.net/ubuntu/+source/subversion/1.8.8-1ubuntu3.3<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIcBAABCgAGBQJZjU2oAAoJEC8Jno0AXoH0AdwP/jzxn1qAgWC/J9VHwo+BkXbM<br />nwD2AhFNmn/eKUtW9NIxqd7t0+R2Gan00aTXEZXU5YJaRN/PIQQ4iob9oDdxJQR3<br />mfFHRvZHyQRTXNuCZHLrhoRpP0VcLCqQG9P4UnM6bHMfWudOpkIeEx02clAAl2ip<br />TDgU/WSqgxSEW/vSl61VDVpkVy6MFQT4hqE2quH38jRcx/ejfLSfrR7cnBiVRnMU<br />7OLFKcEJWa/+HS7kYlqrv+SWfthg+w9x9mjTLaKFbBMhz7tAuNn02rk8EwYdEd0k<br />bt6A41430cs/yjlaZicweXGrCw2qu3dbW0iEmR1IWQ6wp1X2qsGUVP2YjXjBBAEN<br />w8WhNEG72V8CGXoM67ungn7ddzwK9AqQgwZjp0SbA50t9RQ7Sh3g6tfKmSYrTZsz<br />7x5/P2ccFjZ99VThAeBU4gUqiTUGup95oKqOBlfZtB+nR8A0Y3SmpkviORZAhofq<br />zrn9Jcq0nGoSWgZWOYRuLsjdRFTZ/Pk7veKz691mebVLYbW7U2y82Z1hZpi1QTXi<br />WwufYSp0+BwZb95j2IT7JsdsvenoudH8l2tXyqD1+Un2lnr8aAAj0VCrpPVY/aNC<br />5hZhhBnMyMF33InKnM28lV474dgKkU6SA7kZJf7oqLDgBYkgnjpWP5UTR6qAw1DS<br />alzerkrWGy36j9uYBfoa<br />=Cs+O<br />-----END PGP SIGNATURE-----<br />--</p>
Otkriveni su sigurnosni nedostaci u programskom paketu subversion za operacijski sustav Ubuntu. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog koda s ovlastima korisnika, zaobilaženje sigurnosnih ograničenja ili izvođenje napada uskraćivanjem usluge. Savjetuje se ažuriranje izdanim zakrpama.