subversion-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hyrum Wright <hwri...@apache.org>
Subject Vulnerability in APR: CVE-2011-0419
Date Sat, 14 May 2011 11:30:20 GMT
To interested persons:

Apache Subversion uses the Apache Portable Runtime (APR) to provide
platform-specific and other utility services.  APR announced the
availability of APR 1.4.4, which addresses CVE-2011-0419, a potential
unconstrained recursion bug in the apr_fnmatch().  An attacker could
potentially exploit this issue to cause the target machine to exhaust
stack memory or use excessive CPU.  Prior to Subversion 1.6.16,
Subversion used the compromised function on untrusted data in
mod_dav_svn, exposing it to this flaw.

In Subversion 1.6.16, mod_dav_svn was changed to avoid the use of
apr_fnmatch(), eliminating this attack vector for Subversion.  Thus,
Subversion systems are only vulnerable if they are running *both* APR
< 1.4.4 and Subversion < 1.6.16.  It is recommended that users upgrade
one or both of these components as soon as is convenient.

To read more about the APR 1.4.4 release, see
http://www.apache.org/dist/apr/Announcement1.x.html

- The Subversion Team

Mime
View raw message