openSUSE-SU-2017:2183-1

Опубликовано: 16 авг. 2017

Источник: suse-cvrf

Описание

Security update for subversion

This update for subversion to 1.9.7 fixes security issues and bugs.

The following vulnerabilities were fixed:

CVE-2017-9800: A remote attacker could have caused svn clients to execute arbitrary code via specially crafted URLs in svn:externals and svn:sync-from-url properties. (boo#1051362)
CVE-2005-4900: SHA-1 collisions may cause repository inconsistencies (boo#1026936)

The following bugfix changes are included:

Add instructions for running svnserve as a user different from 'svn', and remove sysconfig variables that are no longer effective with the systemd unit. (boo#1049448)

Список пакетов

openSUSE Leap 42.2

libsvn_auth_gnome_keyring-1-0-1.9.7-8.1

libsvn_auth_kwallet-1-0-1.9.7-8.1

subversion-1.9.7-8.1

subversion-bash-completion-1.9.7-8.1

subversion-devel-1.9.7-8.1

subversion-perl-1.9.7-8.1

subversion-python-1.9.7-8.1

subversion-python-ctypes-1.9.7-8.1

subversion-ruby-1.9.7-8.1

subversion-server-1.9.7-8.1

subversion-tools-1.9.7-8.1

openSUSE Leap 42.3

libsvn_auth_gnome_keyring-1-0-1.9.7-8.1

libsvn_auth_kwallet-1-0-1.9.7-8.1

subversion-1.9.7-8.1

subversion-bash-completion-1.9.7-8.1

subversion-devel-1.9.7-8.1

subversion-perl-1.9.7-8.1

subversion-python-1.9.7-8.1

subversion-python-ctypes-1.9.7-8.1

subversion-ruby-1.9.7-8.1

subversion-server-1.9.7-8.1

subversion-tools-1.9.7-8.1

Ссылки

https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00052.html
E-Mail link for openSUSE-SU-2017:2183-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Затронутые продукты

openSUSE Leap 42.2:libsvn_auth_gnome_keyring-1-0-1.9.7-8.1

openSUSE Leap 42.2:libsvn_auth_kwallet-1-0-1.9.7-8.1

openSUSE Leap 42.2:subversion-1.9.7-8.1

openSUSE Leap 42.2:subversion-bash-completion-1.9.7-8.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-9800.html
CVE-2017-9800
https://bugzilla.suse.com/1051362
SUSE Bug 1051362
https://bugzilla.suse.com/1052481
SUSE Bug 1052481
https://bugzilla.suse.com/1052696
SUSE Bug 1052696
https://bugzilla.suse.com/1052932
SUSE Bug 1052932
https://bugzilla.suse.com/1053364
SUSE Bug 1053364
https://bugzilla.suse.com/1066430
SUSE Bug 1066430
https://bugzilla.suse.com/1071709
SUSE Bug 1071709
https://bugzilla.suse.com/1128150
SUSE Bug 1128150

openSUSE-SU-2017:2183-1

Описание

Список пакетов

openSUSE Leap 42.2

openSUSE Leap 42.3

Ссылки

Уязвимость: CVE-2017-9800

Описание

Затронутые продукты

Ссылки