[Bugs] [Bug 13322] New: [CVE 21] subversion 1.13.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:03:11 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13322

          Platform: 2021.1
            Bug ID: 13322
           Summary: [CVE 21] subversion 1.13.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2020-17525, CVE-2021-28544,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package subversion version 1.13.0

INFO (CVEs are): subversion 1.13.0
 cves found
CVE-2020-17525
Desc: Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a
client sends a request for a non-existing repository URL. This can lead to
disruption for users of the service. This issue was fixed in
mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers
1.10.7
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-17525
Severity: HIGH
CVE-2021-28544
Desc: Apache Subversion SVN authz protected copyfrom paths regression
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been copied
from a protected location, users with access to the copy can see the 'copyfrom'
path of the original. This also reveals the fact that the node was copied. Only
the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve
servers are vulnerable.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-28544
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/c1ff9d26/attachment-0001.html>

Подробная информация о списке рассылки Bugs