Updated subversion packages fix security vulnerabilities
Publication date: 27 Aug 2015Modification date: 27 Aug 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-3184 , CVE-2015-3187
Description
Subversion's mod_authz_svn does not properly restrict anonymous access in some
mixed anonymous/authenticated environments when using Apache httpd 2.4. The
result is that anonymous access may be possible to files for which only
authenticated access should be possible (CVE-2015-3184).
Subversion servers, both httpd and svnserve, will reveal some paths that
should be hidden by path-based authz. When a node is copied from an
unreadable location to a readable location the unreadable path may be
revealed. This vulnerablity only reveals the path, it does not reveal the
contents of the path (CVE-2015-3187).
This update also re-enables the java subpackage for the Mageia 5 subversion
package (mga#16075).
References
- https://bugs.mageia.org/show_bug.cgi?id=16572
- https://bugs.mageia.org/show_bug.cgi?id=16075
- http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
- http://subversion.apache.org/security/CVE-2015-3187-advisory.txt
- http://svn.haxx.se/dev/archive-2015-08/0024.shtml
- http://svn.apache.org/repos/asf/subversion/tags/1.8.14/CHANGES
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3184
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3187
SRPMS
5/core
- subversion-1.8.14-1.mga5
4/core
- subversion-1.8.14-1.mga4