Updated subversion packages fix security vulnerability
Publication date: 07 Jan 2017Modification date: 07 Jan 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8734
Description
Subversion's mod_dontdothat module and clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resources or memory (CVE-2016-8734).
References
- https://bugs.mageia.org/show_bug.cgi?id=19877
- https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES
- http://subversion.apache.org/security/CVE-2016-8734-advisory.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734
SRPMS
5/core
- subversion-1.8.17-1.mga5