From announce-return-5026-archive-asf-public=cust-asf.ponee.io@apache.org  Wed Jan 23 05:48:48 2019
Return-Path: <announce-return-5026-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 7627D180634
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 23 Jan 2019 05:48:47 +0100 (CET)
Received: (qmail 1946 invoked by uid 500); 23 Jan 2019 04:48:43 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 43506 invoked by uid 99); 23 Jan 2019 03:55:36 -0000
To: announce@subversion.apache.org, users@subversion.apache.org,
 Subversion Development <dev@subversion.apache.org>, announce@apache.org,
 security@apache.org
Reply-To: users@subversion.apache.org
From: Troy Curtis <troycurtisjr@apache.org>
Subject: [CVE-2018-11803] Apache Subversion Denial of Service Vulnerability
Message-ID: <60d59530-6950-35c5-d118-69e5549b7bf1@apache.org>
Date: Tue, 22 Jan 2019 22:55:14 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit

This is a security notification for Apache Subversion HTTP Servers:

CVE-2018-11803
Severity: Medium
Affected Versions: Apache Subversion 1.11.0, 1.10.0 to 1.10.3

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 
to 1.10.3 will crash after dereferencing an uninitialized pointer if the 
client omits the root path in a recursive directory listing operation. 
This issue can be triggered by any client on Subversion repositories 
configured for anonymous read access. If read access requires 
authentication, a denial of service attack can only be performed by an 
authenticated user.

The Subversion releases 1.10.4 and 1.11.1 contain the fixes for this 
vulnerability and are available immediately at:

https://dist.apache.org/repos/dist/release/subversion/?p=32084

Additional details, including patches for 1.10.3 and 1.11.0 can be found at:

https://subversion.apache.org/security/CVE-2018-11803-advisory.txt

We encourage users of Subversion to upgrade to the latest appropriate 
version as soon as reasonable.

Thanks,
- The Subversion Team