Vulnerabilities > CVE-2014-3528 - Credentials Management vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-0166.NASL description Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81278 published 2015-02-11 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81278 title CentOS 7 : subversion (CESA-2015:0166) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:0166 and # CentOS Errata and Security Advisory 2015:0166 respectively. # include("compat.inc"); if (description) { script_id(81278); script_version("1.7"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2014-3528", "CVE-2014-3580", "CVE-2014-8108"); script_xref(name:"RHSA", value:"2015:0166"); script_name(english:"CentOS 7 : subversion (CESA-2015:0166)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol." ); # https://lists.centos.org/pipermail/centos-announce/2015-February/020931.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f3bc739f" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3580"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mod_dav_svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-javahl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-kde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/19"); script_set_attribute(attribute:"patch_publication_date", value:"2015/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"mod_dav_svn-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-devel-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-gnome-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-javahl-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-kde-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-libs-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-perl-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-python-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-ruby-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"subversion-tools-1.7.14-7.el7_0")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_dav_svn / subversion / subversion-devel / subversion-gnome / etc"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-0166.NASL description From Red Hat Security Advisory 2015:0166 : Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81289 published 2015-02-11 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81289 title Oracle Linux 7 : subversion (ELSA-2015-0166) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:0166 and # Oracle Linux Security Advisory ELSA-2015-0166 respectively. # include("compat.inc"); if (description) { script_id(81289); script_version("1.8"); script_cvs_date("Date: 2019/09/27 13:00:36"); script_cve_id("CVE-2014-3528", "CVE-2014-3580", "CVE-2014-8108"); script_bugtraq_id(68995, 71725, 71726); script_xref(name:"RHSA", value:"2015:0166"); script_name(english:"Oracle Linux 7 : subversion (ELSA-2015-0166)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2015:0166 : Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2015-February/004840.html" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mod_dav_svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-javahl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-kde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:subversion-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/19"); script_set_attribute(attribute:"patch_publication_date", value:"2015/02/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"mod_dav_svn-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-devel-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-gnome-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-javahl-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-kde-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-libs-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-perl-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-python-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-ruby-1.7.14-7.el7_0")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"subversion-tools-1.7.14-7.el7_0")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_dav_svn / subversion / subversion-devel / subversion-gnome / etc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201610-05.NASL description The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 93992 published 2016-10-12 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93992 title GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201610-05. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(93992); script_version("$Revision: 2.1 $"); script_cvs_date("$Date: 2016/10/12 13:47:11 $"); script_cve_id("CVE-2014-0032", "CVE-2014-3504", "CVE-2014-3522", "CVE-2014-3528", "CVE-2015-0202", "CVE-2015-0248", "CVE-2015-0251", "CVE-2015-3184", "CVE-2015-3187", "CVE-2015-5259", "CVE-2016-2167", "CVE-2016-2168"); script_xref(name:"GLSA", value:"201610-05"); script_name(english:"GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201610-05" ); script_set_attribute( attribute:"solution", value: "All Subversion users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-vcs/subversion-1.9.4' All Serf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-libs/serf-1.3.7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:serf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:subversion"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-vcs/subversion", unaffected:make_list("ge 1.9.4", "rgt 1.8.16"), vulnerable:make_list("lt 1.9.4"))) flag++; if (qpkg_check(package:"net-libs/serf", unaffected:make_list("ge 1.3.7"), vulnerable:make_list("lt 1.3.7"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Subversion / Serf"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-511.NASL description This subversion and libserf update fixes several security and non security issues : - subversion: guard against md5 hash collisions when finding cached credentials [bnc#889849] [CVE-2014-3528] - subversion: ra_serf: properly match wildcards in SSL certs. [bnc#890511] [CVE-2014-3522] - libserf: Handle NUL bytes in fields of an X.509 certificate. [bnc#890510] [CVE-2014-3504] last seen 2020-06-05 modified 2014-08-25 plugin id 77364 published 2014-08-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77364 title openSUSE Security Update : libserf / subversion (openSUSE-SU-2014:1059-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2014-511. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(77364); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-3504", "CVE-2014-3522", "CVE-2014-3528"); script_name(english:"openSUSE Security Update : libserf / subversion (openSUSE-SU-2014:1059-1)"); script_summary(english:"Check for the openSUSE-2014-511 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This subversion and libserf update fixes several security and non security issues : - subversion: guard against md5 hash collisions when finding cached credentials [bnc#889849] [CVE-2014-3528] - subversion: ra_serf: properly match wildcards in SSL certs. [bnc#890511] [CVE-2014-3522] - libserf: Handle NUL bytes in fields of an X.509 certificate. [bnc#890510] [CVE-2014-3504]" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889849" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890510" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890511" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libserf / subversion packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-1-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-1-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-1-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-1-1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libserf-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-bash-completion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-perl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-python-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"libserf-1-0-1.1.1-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libserf-1-0-debuginfo-1.1.1-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libserf-debugsource-1.1.1-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libserf-devel-1.1.1-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsvn_auth_gnome_keyring-1-0-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsvn_auth_kwallet-1-0-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsvn_auth_kwallet-1-0-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-bash-completion-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-debugsource-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-devel-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-perl-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-perl-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-python-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-python-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-server-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-server-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-tools-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"subversion-tools-debuginfo-1.7.18-2.36.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libserf-1-1-1.3.7-16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libserf-1-1-debuginfo-1.3.7-16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libserf-debugsource-1.3.7-16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libserf-devel-1.3.7-16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsvn_auth_gnome_keyring-1-0-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsvn_auth_kwallet-1-0-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsvn_auth_kwallet-1-0-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-bash-completion-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-debugsource-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-devel-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-perl-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-perl-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-python-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-python-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-ruby-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-ruby-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-server-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-server-debuginfo-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-tools-1.8.10-2.29.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"subversion-tools-debuginfo-1.8.10-2.29.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libserf-1-0 / libserf-1-0-debuginfo / libserf-debugsource / etc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-0165.NASL description Updated subversion packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81277 published 2015-02-11 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81277 title CentOS 6 : subversion (CESA-2015:0165) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:0165 and # CentOS Errata and Security Advisory 2015:0165 respectively. # include("compat.inc"); if (description) { script_id(81277); script_version("1.7"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2014-3528", "CVE-2014-3580"); script_xref(name:"RHSA", value:"2015:0165"); script_name(english:"CentOS 6 : subversion (CESA-2015:0165)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated subversion packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol." ); # https://lists.centos.org/pipermail/centos-announce/2015-February/020930.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dab90a39" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3580"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mod_dav_svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-javahl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-kde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:subversion-svn2cl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/19"); script_set_attribute(attribute:"patch_publication_date", value:"2015/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"mod_dav_svn-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-devel-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-gnome-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-javahl-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-kde-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-perl-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-ruby-1.6.11-12.el6_6")) flag++; if (rpm_check(release:"CentOS-6", reference:"subversion-svn2cl-1.6.11-12.el6_6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_dav_svn / subversion / subversion-devel / subversion-gnome / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2014-9521.NASL description This update includes the latest stable release of **Apache Subversion** 1.7, version **1.7.18**, fixing a minor security issue. **Client-side bugfixes:** - guard against md5 hash collisions when finding cached credentials (CVE-2014-3528). See : http://subversion.apache.org/security/CVE-2014-3528-advisory.txt **Developer-visible changes** **General:** - fix ocassional failure in checkout_tests.py test 12. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-29 plugin id 77423 published 2014-08-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77423 title Fedora 19 : subversion-1.7.18-1.fc19 (2014-9521) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2014-9521. # include("compat.inc"); if (description) { script_id(77423); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-3528"); script_bugtraq_id(68995); script_xref(name:"FEDORA", value:"2014-9521"); script_name(english:"Fedora 19 : subversion-1.7.18-1.fc19 (2014-9521)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes the latest stable release of **Apache Subversion** 1.7, version **1.7.18**, fixing a minor security issue. **Client-side bugfixes:** - guard against md5 hash collisions when finding cached credentials (CVE-2014-3528). See : http://subversion.apache.org/security/CVE-2014-3528-advisory.txt **Developer-visible changes** **General:** - fix ocassional failure in checkout_tests.py test 12. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://subversion.apache.org/security/CVE-2014-3528-advisory.txt" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1125799" ); # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137098.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?832d8f20" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"subversion-1.7.18-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "subversion"); }NASL family MacOS X Local Security Checks NASL id MACOSX_XCODE_6_2.NASL description The Apple Xcode installed on the remote Mac OS X host is prior to version 6.2. It is, therefore, affected by the following vulnerabilities : - Numerous errors exist related to the bundled version of Apache Subversion. (CVE-2014-3522, CVE-2014-3528, CVE-2014-3580, CVE-2014-8108) - An error exists related to the bundled version of Git that allows arbitrary files to be added to the .git folder. (CVE-2014-9390) last seen 2020-05-06 modified 2015-03-11 plugin id 81758 published 2015-03-11 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81758 title Apple Xcode < 6.2 (Mac OS X) NASL family Windows NASL id SUBVERSION_1_8_10.NASL description The version of Subversion Server installed on the remote host is version 1.x.x prior to 1.7.18 or 1.8.x prior to 1.8.10. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Serf RA layer. This flaw causes wildcards for HTTPS connections to be improperly evaluated, which may result in the application accepting certificates that are not matched against the proper hostname. This may allow a remote man-in-the-middle attacker to intercept traffic and spoof valid sessions. (CVE-2014-3522) - An MD5 hash of the URL and authentication realm are used to store cached credentials, which may allow remote attackers to obtain these credentials via a specially crafted authentication realm. (CVE-2014-3528) last seen 2020-06-01 modified 2020-06-02 plugin id 78068 published 2014-10-06 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78068 title Apache Subversion 1.0.x - 1.7.17 / 1.8.x < 1.8.10 Multiple Vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20150210_SUBVERSION_ON_SL7_X.NASL description A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-03-18 modified 2015-02-12 plugin id 81310 published 2015-02-12 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81310 title Scientific Linux Security Update : subversion on SL7.x x86_64 (20150210) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2316-1.NASL description Lieven Govaerts discovered that the Subversion mod_dav_svn module incorrectly handled certain request methods when SVNListParentPath was enabled. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2014-0032) Ben Reser discovered that Subversion did not correctly validate SSL certificates containing wildcards. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-3522) Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server. (CVE-2014-3528). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77219 published 2014-08-15 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77219 title Ubuntu 12.04 LTS / 14.04 LTS : subversion vulnerabilities (USN-2316-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-161.NASL description Updated subversion packages fix security vulnerability : Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). last seen 2020-06-01 modified 2020-06-02 plugin id 77640 published 2014-09-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77640 title Mandriva Linux Security Advisory : subversion (MDVSA-2014:161) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0165.NASL description Updated subversion packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81292 published 2015-02-11 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81292 title RHEL 6 : subversion (RHSA-2015:0165) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-0165.NASL description From Red Hat Security Advisory 2015:0165 : Updated subversion packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81288 published 2015-02-11 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81288 title Oracle Linux 6 : subversion (ELSA-2015-0165) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_83A418CC218211E4802C20CF30E32F6D.NASL description Subversion Project reports : Using the Serf RA layer of Subversion for HTTPS uses the apr_fnmatch API to handle matching wildcards in certificate Common Names and Subject Alternate Names. However, apr_fnmatch is not designed for this purpose. Instead it is designed to behave like common shell globbing. In particular this means that last seen 2020-06-01 modified 2020-06-02 plugin id 77125 published 2014-08-12 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77125 title FreeBSD : subversion -- several vulnerabilities (83a418cc-2182-11e4-802c-20cf30e32f6d) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0166.NASL description Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-06-01 modified 2020-06-02 plugin id 81293 published 2015-02-11 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81293 title RHEL 7 : subversion (RHSA-2015:0166) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-085.NASL description Updated subversion packages fix security vulnerabilities : The mod_dav_svn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via an OPTIONS request (CVE-2014-0032). Ben Reser discovered that Subversion did not correctly validate SSL certificates containing wildcards. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications (CVE-2014-3522). Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). A NULL pointer dereference flaw was found in the way mod_dav_svn handled REPORT requests. A remote, unauthenticated attacker could use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580). A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs for virtual transaction names. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash (CVE-2014-8108). last seen 2020-06-01 modified 2020-06-02 plugin id 82338 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82338 title Mandriva Linux Security Advisory : subversion (MDVSA-2015:085) NASL family Scientific Linux Local Security Checks NASL id SL_20150210_SUBVERSION_ON_SL6_X.NASL description A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server last seen 2020-03-18 modified 2015-02-12 plugin id 81309 published 2015-02-12 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81309 title Scientific Linux Security Update : subversion on SL6.x i386/x86_64 (20150210)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://rhn.redhat.com/errata/RHSA-2015-0165.html
- http://rhn.redhat.com/errata/RHSA-2015-0166.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60722
- http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/68995
- http://www.ubuntu.com/usn/USN-2316-1
- https://security.gentoo.org/glsa/201610-05
- https://support.apple.com/HT204427