<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] subversion 1.13.0 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13322">13322</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] subversion 1.13.0  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2020-17525, CVE-2021-28544,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package subversion version 1.13.0

INFO (CVEs are): subversion 1.13.0

 cves found

CVE-2020-17525

Desc: Subversion's mod_authz_svn module will crash if the server is using

in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a

client sends a request for a non-existing repository URL. This can lead to

disruption for users of the service. This issue was fixed in

mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers

1.10.7

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-17525">https://nvd.nist.gov/vuln/detail/CVE-2020-17525</a>

Severity: HIGH

CVE-2021-28544

Desc: Apache Subversion SVN authz protected copyfrom paths regression

Subversion servers reveal 'copyfrom' paths that should be hidden according to

configured path-based authorization (authz) rules. When a node has been copied

from a protected location, users with access to the copy can see the 'copyfrom'

path of the original. This also reveals the fact that the node was copied. Only

the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve

servers are vulnerable.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-28544">https://nvd.nist.gov/vuln/detail/CVE-2021-28544</a>

Severity: MEDIUM</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>