Updated subversion packages fix security vulnerability
Publication date: 16 Aug 2017Modification date: 16 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-9800
Description
A Subversion client sometimes connects to URLs provided by the
repository. A maliciously constructed svn+ssh:// URL would cause
Subversion clients to run an arbitrary shell command. Such a URL could
be generated by a malicious server, by a malicious user committing to an
honest server (to attack another user of that server's repositories), or
by a proxy server (CVE-2017-9800).
References
- https://bugs.mageia.org/show_bug.cgi?id=21495
- https://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES
- http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C8760dvl2j6.fsf%40codematters.co.uk%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.8.19/CHANGES
- http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
SRPMS
6/core
- subversion-1.9.7-1.mga6
5/core
- subversion-1.8.19-1.mga5