On Tue, Jan 4, 2011 at 10:02 AM, Jan Lieskovsky <jlies...@redhat.com> wrote: > Hello Kurt, Josh, vendors, > > Josh Bressers wrote: >> >> ----- Original Message ----- >>> >>> Unspecified vulnerability in the server component in Apache Subversion >>> 1.6.x before 1.6.15 allows remote attackers to cause a denial of >>> service via unknown vectors, related to a "several bug fixes, >>> including two which can cause client-initiated crashes on the server." >>> >>> [1] http://svn.haxx.se/dev/archive-2010-11/0475.shtml > > Cc-ed Hyrum to shed more light into this one. [1] mentions two issues: > <begin quote> > ... > several bug fixes, including two which can cause client-initiated > crashes on the server. > </end quote> > > Further look at: > [2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES > > suggest: > > A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)" > being the first one. > Upstream changeset: > http://svn.apache.org/viewvc?view=revision&revision=1033166 > > and after discussion with Joe Orton, Joe suggested: > > B, * fix server-side memory leaks triggered by 'blame -g' (r1032808) > References: > http://svn.haxx.se/dev/archive-2010-11/0102.shtml > Upstream changeset: > http://svn.apache.org/viewvc?view=revision&revision=1032808 > > being the second one as denial of service attack (by memory consumption) > against > svnserve. > > Questions: > ---------- > Hyrum, could you confirm A, and B, issues are those two, mentioned in [2] > to be able to cause client-initiated crashes on the server?
I can confirm that A and B are the two issues mentioned in [2]. >> I admit, this isn't obvious, so let's use CVE-2010-4539 for now. >> We can split it if needed once more information is known. > > Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can > we consider CVE-2010-4539 to be a CVE identifier for A, issue > and request yet another / second one for B, issue? We didn't initially reserve CVEs for these vulnerabilities, but will be happy to update our documentation to reflect them. (See http://subversion.apache.org/security/ ) The two issues really are orthogonal, so B should probably not be included in a CVE for A. I've CC'd dev@subversion.apache.org to help coordinate advisory authoring. -Hyrum
