ALAS-2017-883


Amazon Linux AMI Security Advisory: ALAS-2017-883
Advisory Release Date: 2017-08-31 23:10 Pacific
Severity: Important
References: CVE-2017-9800 

Issue Overview:

Command injection through clients via malicious svn+ssh URLs
A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit. (CVE-2017-9800 )


Affected Packages:

subversion,mod_dav_svn


Issue Correction:
Run yum update subversion to update your system.
Run yum update mod_dav_svn to update your system.

New Packages:
i686:
    mod_dav_svn-1.9.7-1.54.amzn1.i686
    mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.i686
    subversion-tools-1.9.7-1.58.amzn1.i686
    subversion-libs-1.9.7-1.58.amzn1.i686
    subversion-devel-1.9.7-1.58.amzn1.i686
    subversion-python27-1.9.7-1.58.amzn1.i686
    subversion-perl-1.9.7-1.58.amzn1.i686
    subversion-debuginfo-1.9.7-1.58.amzn1.i686
    subversion-1.9.7-1.58.amzn1.i686
    subversion-javahl-1.9.7-1.58.amzn1.i686
    mod24_dav_svn-1.9.7-1.58.amzn1.i686
    subversion-ruby-1.9.7-1.58.amzn1.i686
    subversion-python26-1.9.7-1.58.amzn1.i686

src:
    mod_dav_svn-1.9.7-1.54.amzn1.src
    subversion-1.9.7-1.58.amzn1.src

x86_64:
    mod_dav_svn-1.9.7-1.54.amzn1.x86_64
    mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.x86_64
    subversion-tools-1.9.7-1.58.amzn1.x86_64
    subversion-1.9.7-1.58.amzn1.x86_64
    subversion-ruby-1.9.7-1.58.amzn1.x86_64
    subversion-python27-1.9.7-1.58.amzn1.x86_64
    mod24_dav_svn-1.9.7-1.58.amzn1.x86_64
    subversion-perl-1.9.7-1.58.amzn1.x86_64
    subversion-libs-1.9.7-1.58.amzn1.x86_64
    subversion-javahl-1.9.7-1.58.amzn1.x86_64
    subversion-python26-1.9.7-1.58.amzn1.x86_64
    subversion-devel-1.9.7-1.58.amzn1.x86_64
    subversion-debuginfo-1.9.7-1.58.amzn1.x86_64