Updated subversion packages fix security vulnerabilities
Publication date: 21 Aug 2014Modification date: 21 Aug 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-3522 , CVE-2014-3528
Description
Updated subversion packages fix security vulnerabilities:
Ben Reser discovered that Subversion did not correctly validate SSL
certificates containing wildcards. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications (CVE-2014-3522).
Bert Huijben discovered that Subversion did not properly handle cached
credentials. A malicious server could possibly use this issue to obtain
credentials cached for a different server (CVE-2014-3528).
The subversion package has been updated to 1.8.10 to fix these issues and
other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=13838
- http://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
- https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES
- http://www.ubuntu.com/usn/usn-2316-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528
SRPMS
4/core
- subversion-1.8.10-1.mga4