Updated subversion packages fix security vulnerability
Publication date: 07 Jan 2017Modification date: 07 Jan 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8734
Description
Subversion's mod_dontdothat module and clients using http(s):// are
vulnerable to a denial-of-service attack caused by exponential XML
entity expansion. The attack, otherwise known as the "billion laughs
attack", targets XML parsers and can cause the targeted process to
consume an excessive amount of CPU resources or memory (CVE-2016-8734).
References
- https://bugs.mageia.org/show_bug.cgi?id=19877
- https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E
- http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES
- http://subversion.apache.org/security/CVE-2016-8734-advisory.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734
SRPMS
5/core
- subversion-1.8.17-1.mga5