ALAS-2015-587


Amazon Linux 1 Security Advisory: ALAS-2015-587
Advisory Release Date: 2015-08-24 22:27 Pacific
Advisory Updated Date: 2015-08-24 22:35 Pacific
Severity: Medium

Issue Overview:

The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. (CVE-2015-0202)

An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. (CVE-2015-0248)

It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. (CVE-2015-0251)


Affected Packages:

subversion, mod_dav_svn


Issue Correction:
Run yum update subversion mod_dav_svn to update your system.

New Packages:
i686:
    mod_dav_svn-1.8.13-7.50.amzn1.i686
    mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.i686
    subversion-python26-1.8.13-7.52.amzn1.i686
    subversion-libs-1.8.13-7.52.amzn1.i686
    subversion-python27-1.8.13-7.52.amzn1.i686
    subversion-tools-1.8.13-7.52.amzn1.i686
    subversion-ruby-1.8.13-7.52.amzn1.i686
    subversion-debuginfo-1.8.13-7.52.amzn1.i686
    subversion-devel-1.8.13-7.52.amzn1.i686
    subversion-javahl-1.8.13-7.52.amzn1.i686
    subversion-1.8.13-7.52.amzn1.i686
    mod24_dav_svn-1.8.13-7.52.amzn1.i686
    subversion-perl-1.8.13-7.52.amzn1.i686

src:
    mod_dav_svn-1.8.13-7.50.amzn1.src
    subversion-1.8.13-7.52.amzn1.src

x86_64:
    mod_dav_svn-1.8.13-7.50.amzn1.x86_64
    mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.x86_64
    subversion-debuginfo-1.8.13-7.52.amzn1.x86_64
    subversion-python27-1.8.13-7.52.amzn1.x86_64
    mod24_dav_svn-1.8.13-7.52.amzn1.x86_64
    subversion-devel-1.8.13-7.52.amzn1.x86_64
    subversion-javahl-1.8.13-7.52.amzn1.x86_64
    subversion-ruby-1.8.13-7.52.amzn1.x86_64
    subversion-perl-1.8.13-7.52.amzn1.x86_64
    subversion-1.8.13-7.52.amzn1.x86_64
    subversion-tools-1.8.13-7.52.amzn1.x86_64
    subversion-libs-1.8.13-7.52.amzn1.x86_64
    subversion-python26-1.8.13-7.52.amzn1.x86_64