subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Parrish Knight <parrish.kni...@noaa.gov>
Subject Re: Subversion upgrade problem
Date Mon, 22 Oct 2012 12:58:49 GMT
On Mon, Oct 22, 2012 at 8:54 AM, Stefan Sperling <stsp@elego.de> wrote:
> On Mon, Oct 22, 2012 at 08:43:16AM -0400, Parrish Knight wrote:
>> Good morning:
>>
>> I am the Help Desk Lead at the National Geodetic Survey, an agency of
>> NOAA, the National Oceanic and Atmospheric Administration.  Currently,
>> I am in the process of migrating one of our developers from a rather
>> aged desktop to a more modern laptop.  Part of our upgrade procedue is
>> for our security officer to scan all new seats for vulnerabilities
>> before approving them for release to the end user.  I've got a bit of
>> a puzzler regarding a vulnerability in Subversion, and I have not been
>> able to locate a remedy.  The recommended remedy is to uninstall all
>> previous versions of Subversion and install the most recent version
>> (currently 1.7.7).  I followed this procedure, but our security
>> officer reported that the problem persists.
>
> Hi,
>
> which problem do you mean exactly?

The reported problem is with earlier versions of Subversion, but our
security officer reports that the problem persists even after an
upgrade.

"Multiple integer overflows in the libsvn_delta library in Subversion
before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users
and remote Subversion servers to execute arbitrary code via an svndiff
stream with large windows that trigger a heap-based buffer overflow, a
related issue to CVE-2009-2412."

http://www.orvant.com/vuln/detail/181334/CVE-2009-2411

-- 
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight@noaa.gov

Mime
View raw message