CentOS Local Security Checks : CentOS Update for mod_dav

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.882252

Categoría: CentOS Local Security Checks

Título: CentOS Update for mod_dav_svn CESA-2015:1633 centos6

Resumen: Check the version of mod_dav_svn

Descripción: Summary:
Check the version of mod_dav_svn

Vulnerability Insight:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes.
The mod_dav_svn module is used with the Apache HTTP Server to allow access
to Subversion repositories via HTTP.

An assertion failure flaw was found in the way the SVN server processed
certain requests with dynamically evaluated revision numbers. A remote
attacker could use this flaw to cause the SVN server (both svnserve and
httpd with the mod_dav_svn module) to crash. (CVE-2015-0248)

It was found that the mod_dav_svn module did not properly validate the
svn:author property of certain requests. An attacker able to create new
revisions could use this flaw to spoof the svn:author property.
(CVE-2015-0251)

It was found that when an SVN server (both svnserve and httpd with the
mod_dav_svn module) searched the history of a file or a directory, it would
disclose its location in the repository if that file or directory was not
readable (for example, if it had been moved). (CVE-2015-3187)

Red Hat would like to thank the Apache Software Foundation for reporting
these issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the
original reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael Pilato
of CollabNet as the original reporter of CVE-2015-3187.

All subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, for the update to take effect, you must restart the httpd
daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are
serving Subversion repositories via the svn:// protocol.

Affected Software/OS:
mod_dav_svn on CentOS 6

Solution:
Please install the updated packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2015-0248
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
BugTraq ID: 74260
http://www.securityfocus.com/bid/74260
Debian Security Information: DSA-3231 (Google Search)
http://www.debian.org/security/2015/dsa-3231
https://security.gentoo.org/glsa/201610-05
http://www.mandriva.com/security/advisories?name=MDVSA-2015:192
RedHat Security Advisories: RHSA-2015:1633
http://rhn.redhat.com/errata/RHSA-2015-1633.html
RedHat Security Advisories: RHSA-2015:1742
http://rhn.redhat.com/errata/RHSA-2015-1742.html
http://www.securitytracker.com/id/1033214
SuSE Security Announcement: openSUSE-SU-2015:0672 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html
http://www.ubuntu.com/usn/USN-2721-1
Common Vulnerability Exposure (CVE) ID: CVE-2015-0251
BugTraq ID: 74259
http://www.securityfocus.com/bid/74259
http://seclists.org/fulldisclosure/2015/Jun/32
Common Vulnerability Exposure (CVE) ID: CVE-2015-3187
http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html
BugTraq ID: 76273
http://www.securityfocus.com/bid/76273
Debian Security Information: DSA-3331 (Google Search)
http://www.debian.org/security/2015/dsa-3331
http://www.securitytracker.com/id/1033215
SuSE Security Announcement: openSUSE-SU-2015:1401 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.882252
Categoría:	CentOS Local Security Checks
Título:	CentOS Update for mod_dav_svn CESA-2015:1633 centos6
Resumen:	Check the version of mod_dav_svn
Descripción:	Summary: Check the version of mod_dav_svn Vulnerability Insight: Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. (CVE-2015-0248) It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. (CVE-2015-0251) It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved). (CVE-2015-3187) Red Hat would like to thank the Apache Software Foundation for reporting these issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael Pilato of CollabNet as the original reporter of CVE-2015-3187. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. Affected Software/OS: mod_dav_svn on CentOS 6 Solution: Please install the updated packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2015-0248 http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html BugTraq ID: 74260 http://www.securityfocus.com/bid/74260 Debian Security Information: DSA-3231 (Google Search) http://www.debian.org/security/2015/dsa-3231 https://security.gentoo.org/glsa/201610-05 http://www.mandriva.com/security/advisories?name=MDVSA-2015:192 RedHat Security Advisories: RHSA-2015:1633 http://rhn.redhat.com/errata/RHSA-2015-1633.html RedHat Security Advisories: RHSA-2015:1742 http://rhn.redhat.com/errata/RHSA-2015-1742.html http://www.securitytracker.com/id/1033214 SuSE Security Announcement: openSUSE-SU-2015:0672 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html http://www.ubuntu.com/usn/USN-2721-1 Common Vulnerability Exposure (CVE) ID: CVE-2015-0251 BugTraq ID: 74259 http://www.securityfocus.com/bid/74259 http://seclists.org/fulldisclosure/2015/Jun/32 Common Vulnerability Exposure (CVE) ID: CVE-2015-3187 http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html BugTraq ID: 76273 http://www.securityfocus.com/bid/76273 Debian Security Information: DSA-3331 (Google Search) http://www.debian.org/security/2015/dsa-3331 http://www.securitytracker.com/id/1033215 SuSE Security Announcement: openSUSE-SU-2015:1401 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html
Copyright	Copyright (C) 2015 Greenbone AG