ALAS-2017-794


Amazon Linux AMI Security Advisory: ALAS-2017-794
Advisory Release Date: 2017-02-06 18:00 Pacific
Severity: Medium
References: CVE-2016-8734 

Issue Overview:

It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository.


Affected Packages:

subversion,mod_dav_svn


Issue Correction:
Run yum update subversion to update your system.
Run yum update mod_dav_svn to update your system.

New Packages:
i686:
    mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.i686
    mod_dav_svn-1.9.5-2.53.amzn1.i686
    subversion-1.9.5-1.56.amzn1.i686
    subversion-devel-1.9.5-1.56.amzn1.i686
    mod24_dav_svn-1.9.5-1.56.amzn1.i686
    subversion-ruby-1.9.5-1.56.amzn1.i686
    subversion-perl-1.9.5-1.56.amzn1.i686
    subversion-debuginfo-1.9.5-1.56.amzn1.i686
    subversion-python27-1.9.5-1.56.amzn1.i686
    subversion-javahl-1.9.5-1.56.amzn1.i686
    subversion-libs-1.9.5-1.56.amzn1.i686
    subversion-tools-1.9.5-1.56.amzn1.i686
    subversion-python26-1.9.5-1.56.amzn1.i686

src:
    mod_dav_svn-1.9.5-2.53.amzn1.src
    subversion-1.9.5-1.56.amzn1.src

x86_64:
    mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.x86_64
    mod_dav_svn-1.9.5-2.53.amzn1.x86_64
    subversion-libs-1.9.5-1.56.amzn1.x86_64
    mod24_dav_svn-1.9.5-1.56.amzn1.x86_64
    subversion-python26-1.9.5-1.56.amzn1.x86_64
    subversion-ruby-1.9.5-1.56.amzn1.x86_64
    subversion-1.9.5-1.56.amzn1.x86_64
    subversion-perl-1.9.5-1.56.amzn1.x86_64
    subversion-debuginfo-1.9.5-1.56.amzn1.x86_64
    subversion-python27-1.9.5-1.56.amzn1.x86_64
    subversion-devel-1.9.5-1.56.amzn1.x86_64
    subversion-tools-1.9.5-1.56.amzn1.x86_64
    subversion-javahl-1.9.5-1.56.amzn1.x86_64