httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brennan, Edward C (HII-Ingalls)" <ed.bren...@hii-ingalls.com>
Subject [users@httpd] RE: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit
Date Fri, 02 Aug 2013 02:04:09 GMT
Thanks, Ben.  So based on your response, I still don't know what caused the error.  I introduced
apache 2.2.25 into my environment, and I get the error (which is why I posted to users@httpd,
since I didn't introduce a new subversion).  But when I revert back to apache 2.2.22, I don't
get the error.  I assumed the new software introduced the issue.  

Guess I can upgrade subversion, and put apache back to 2.2.25 and see if the error persists.

I appreciate your feedback.

-----Original Message-----
From: Ben Reser [mailto:ben@reser.org] 
Sent: Thursday, August 01, 2013 8:52 PM
To: users@httpd.apache.org
Subject: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

First of all this probably belongs on users@subversion.apache.org...

On Wed, Jul 31, 2013 at 1:43 PM, Brennan, Edward C (HII-Ingalls)
<ed.brennan@hii-ingalls.com> wrote:
> Thank you.
>   I am trying to understand what the recommendation is here.  I am currently using SVN
1.6.6 and have apache 2.2.22 in production (reverted back from 2.2.25).  At this link:
> http://subversion.apache.org/security/CVE-2013-4131-advisory.txt

That issue is not applicable to 1.6.x.  Note the following bit from
the advisory you linked.

[[[
Known fixed:
============

  Subversion 1.8.1
  Subversion 1.7.11
  svnserve (any version) is not vulnerable.
  Subversion 1.6.x is not vulnerable.
]]]

> there is this blurb:
>
> Making a copy of the repository root is a valid Subversion operation.
>   However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being
>   exercised for a revision root that was never before executed for a revision
>   root.  That code performs a hand-rolled path arithmetic instead of using the
>   internal path manipulation library, and thus passes an invalid path down to
>   a library function which runs an assert() validation on that path.
>
>   When assertions are enabled, the validation fails and kills the httpd
>   process.  When assertions are disabled, code would read beyond allocated
>   memory, which may lead to a segfault or undefined behavior.
>
>
> Is this what I'm running into when I perform a SVN Commit?

If you were running 1.7.0-1.7.10 or 1.8.0 (including rcs) then yes
that code would be run during a commit provided that you were doing a
copy or move from or to the repository root.  Somehow I suspect that's
not what you're doing based on what you've said so far.

> And the recommendations on that page:
>
> Recommendations:
> ================
>
>   We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11.
>   Users who are unable to upgrade may apply the included patches.
>
>   New Subversion packages can be found at:
>   http://subversion.apache.org/packages.html
>
>   We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for
>   repositories served by HTTPD) due to an independent security issue fixed
>   in that HTTPD release: CVE-2013-1896.  See <http://s.apache.org/H1a> for
>   details about CVE-2013-1896, including a recommendation for those who serve
>   Subversion repositories with Apache HTTPD 2.4.x.
>
> So is this saying that while apache 2.2.25 introduced the issue, I should keep that version
for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11?

At a minimum you should upgrade to 1.6.23 as there are several
security issues that have been fixed in later 1.6.x releases that are
not addressed in the 1.6.6 version you're running now.  See this page
for the list of security issues:
http://subversion.apache.org/security/

However, I should point out that 1.6.x is no longer supported by the
Subversion project and you should upgrade to 1.7.11 or 1.8.1 at your
earliest convenience.  We will not be producing any further updates
for 1.6.x.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message