subversion-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Reser <bre...@apache.org>
Subject Importance of Apache HTTP 2.2.25 Release to Subversion Admins
Date Thu, 11 Jul 2013 22:11:45 GMT
As you may have seen on our announce mailing list yesterday, the
Apache HTTP Server Project released 2.2.25 yesterday.

This release includes a security fix that is important for Subversion
sites using mod_dav_svn to host their repositories.  Specifically it
includes a fix for the following DoS issue:

   * SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by
     mod_dav_svn with the source href (sent as part of the request body
     as XML) pointing to a URI that is not configured for DAV will
     trigger a segfault.

Exploiting this vulnerability does require write access to the
repository, so it is a relatively low risk issue.

There are no known workarounds available, so the only way to resolve
this issue is to upgrade or patch the Apache HTTP server.  Also note
that at this time there is no Apache HTTP 2.4.x release that includes
this fix.  We anticipate that the HTTP project will release 2.4.5 soon
which we expect to include the fix for those using HTTP 2.4.x.

You can download the Apache HTTP 2.2.25 release from:

    http://httpd.apache.org/download.cgi

Mime
View raw message