Amazon Linux 1 Security Advisory: ALAS-2017-794
Advisory Release Date: 2017-02-06 18:00 Pacific
Advisory Updated Date: 2017-02-06 18:00 Pacific
It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository.
Affected Packages:
subversion, mod_dav_svn
Issue Correction:
Run yum update subversion to update your system.
Run yum update mod_dav_svn to update your system.
i686:
mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.i686
mod_dav_svn-1.9.5-2.53.amzn1.i686
subversion-1.9.5-1.56.amzn1.i686
subversion-devel-1.9.5-1.56.amzn1.i686
mod24_dav_svn-1.9.5-1.56.amzn1.i686
subversion-ruby-1.9.5-1.56.amzn1.i686
subversion-perl-1.9.5-1.56.amzn1.i686
subversion-debuginfo-1.9.5-1.56.amzn1.i686
subversion-python27-1.9.5-1.56.amzn1.i686
subversion-javahl-1.9.5-1.56.amzn1.i686
subversion-libs-1.9.5-1.56.amzn1.i686
subversion-tools-1.9.5-1.56.amzn1.i686
subversion-python26-1.9.5-1.56.amzn1.i686
src:
mod_dav_svn-1.9.5-2.53.amzn1.src
subversion-1.9.5-1.56.amzn1.src
x86_64:
mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.x86_64
mod_dav_svn-1.9.5-2.53.amzn1.x86_64
subversion-libs-1.9.5-1.56.amzn1.x86_64
mod24_dav_svn-1.9.5-1.56.amzn1.x86_64
subversion-python26-1.9.5-1.56.amzn1.x86_64
subversion-ruby-1.9.5-1.56.amzn1.x86_64
subversion-1.9.5-1.56.amzn1.x86_64
subversion-perl-1.9.5-1.56.amzn1.x86_64
subversion-debuginfo-1.9.5-1.56.amzn1.x86_64
subversion-python27-1.9.5-1.56.amzn1.x86_64
subversion-devel-1.9.5-1.56.amzn1.x86_64
subversion-tools-1.9.5-1.56.amzn1.x86_64
subversion-javahl-1.9.5-1.56.amzn1.x86_64