Advisories ยป MGASA-2016-0161

Updated subversion packages fix security vulnerabilities

Publication date: 05 May 2016
Modification date: 05 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2167 , CVE-2016-2168

Description

Updated subversion packages fix security vulnerabilities:

Daniel Shahaf and James McCoy discovered that an implementation error in the
authentication against the Cyrus SASL library would permit a remote user to
specify a realm string which is a prefix of the expected realm string and
potentially allowing a user to authenticate using the wrong realm
(CVE-2016-2167).

Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service
vulnerability in the mod_authz_svn module during COPY or MOVE authorization
check. An authenticated remote attacker could take advantage of this flaw to
cause a denial of service (Subversion server crash) via COPY or MOVE requests
with specially crafted header (CVE-2016-2168).
                

References

SRPMS

5/core