============================================================================ Ubuntu Security Notice USN-1893-1 June 27, 2013 subversion vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Subversion. Software Description: - subversion: Advanced version control system Details: Alexander Klink discovered that the Subversion mod_dav_svn module for Apache did not properly handle a large number of properties. A remote authenticated attacker could use this flaw to cause memory consumption, leading to a denial of service. (CVE-2013-1845) Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote authenticated attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1846) Philip Martin and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1847) It was discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain PROPFIND requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1849) Greg McMullin, Stefan Fuhrmann, Philip Martin, and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain log REPORT requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. This issue only affected Ubuntu 12.10 and Ubuntu 13.04. (CVE-2013-1884) Stefan Sperling discovered that Subversion incorrectly handled newline characters in filenames. A remote authenticated attacker could use this flaw to corrupt FSFS repositories. (CVE-2013-1968) Boris Lytochkin discovered that Subversion incorrectly handled TCP connections that were closed early. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-2112) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.04: libapache2-svn 1.7.5-1ubuntu3.1 libsvn1 1.7.5-1ubuntu3.1 Ubuntu 12.10: libapache2-svn 1.7.5-1ubuntu2.1 libsvn1 1.7.5-1ubuntu2.1 Ubuntu 12.04 LTS: libapache2-svn 1.6.17dfsg-3ubuntu3.3 libsvn1 1.6.17dfsg-3ubuntu3.3 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1893-1 CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849, CVE-2013-1884, CVE-2013-1968, CVE-2013-2112 Package Information: https://launchpad.net/ubuntu/+source/subversion/1.7.5-1ubuntu3.1 https://launchpad.net/ubuntu/+source/subversion/1.7.5-1ubuntu2.1 https://launchpad.net/ubuntu/+source/subversion/1.6.17dfsg-3ubuntu3.3