Advisories » MGASA-2013-0275

Updated subversion package fixes security vulnerability.

Publication date: 13 Sep 2013
Modification date: 13 Sep 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-4277

Description

svnserve takes a --pid-file option which creates a file containing the
process id it is running as. It does not take steps to ensure that the
file it has been directed at is not a symlink. If the pid file is in a
directory writeable by unprivileged users, the destination could be
replaced by a symlink allowing for   privilege escalation. svnserve
does not create a pid file by default (CVE-2013-4277).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=11207
• http://subversion.apache.org/security/CVE-2013-4277-advisory.txt
• https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115318.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4277

SRPMS

2/core

• subversion-1.7.13-1.mga2

3/core

• subversion-1.7.13-1.mga3