Updated subversion packages fix security vulnerabilities
Publication date: 28 Dec 2015Modification date: 11 Mar 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5343
Description
Updated subversion packages fix security vulnerability: Subversion's httpd servers are vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow when parsing skel-encoded request bodies (CVE-2015-5343). This allows remote attackers with write access to a repository to cause a denial of service or possibly execute arbitrary code under the context of the httpd process. 32-bit server versions are vulnerable to both the denial-of-service attack and possible arbitrary code execution. 64-bit server versions are only vulnerable to the denial-of-service attack.
References
- https://bugs.mageia.org/show_bug.cgi?id=17353
- http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/%3CCAP_GPNieJGPDbf=nmbSdf+CTMZ=5pREoqwnDNvO80mfAKNaY7Q@mail.gmail.com%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.8.15/CHANGES
- http://subversion.apache.org/security/CVE-2015-5343-advisory.txt
- https://www.debian.org/security/2015/dsa-3424
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5343
SRPMS
5/core
- subversion-1.8.15-1.mga5