Hi there;
As at: 20160501-0735 +0000 (UTC): Updated packages DO NOT APPEAR at the
Australian Mirror (IP: 150.203.164.61) of:
http://security.debian.org/debian-security/pool/updates/main/s/subversion/
Can someone please ensure that the updated packages are pushed out to
the Australian Mirror at the earliest opportunity.
Yours sincerely,
Bjoern.
On 01/05/16 10:26, James McCoy wrote:
Package : subversion
Version : 1.6.17dfsg-4+deb7u11
CVE ID : CVE-2016-2167 CVE-2016-2168
CVE-2016-2167
svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.
CVE-2016-2168
Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.
This allows remote attackers to cause a denial of service.
