Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

subversion: CVE-2014-8108

Related Vulnerabilities: CVE-2014-8108   CVE-2014-3580  

Source

Debian Bug report logs - #773315
subversion: CVE-2014-8108

version graph

Package: subversion; Maintainer for subversion is James McCoy <jamessan@debian.org>; Source for subversion is src:subversion (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 16 Dec 2014 07:36:02 UTC

Severity: grave

Tags: patch, security

Found in version subversion/1.7.5-1

Fixed in version subversion/1.8.10-5

Done: James McCoy <jamessan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#773263; Package subversion. (Tue, 16 Dec 2014 07:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Samuelson <peter@p12n.org>. (Tue, 16 Dec 2014 07:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: subversion: CVE-2014-3580
Date: Tue, 16 Dec 2014 08:25:56 +0100
Package: subversion
Version: 1.5.1dfsg1-5
Severity: grave
Tags: security

Hi,
please see
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt for
further information.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#773263; Package subversion. (Tue, 16 Dec 2014 08:06:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Tue, 16 Dec 2014 08:06:05 GMT) (full text, mbox, link).

Message #10 received at 773263@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 773263@bugs.debian.org
Subject: Additional CVE ID
Date: Tue, 16 Dec 2014 08:59:56 +0100
Also http://subversion.apache.org/security/CVE-2014-8108-advisory.txt

Cheers,
        Moritz

Marked as found in versions subversion/1.6.17dfsg-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:45:05 GMT) (full text, mbox, link).

Bug 773263 cloned as bug 773315 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:51:05 GMT) (full text, mbox, link).

Changed Bug title to 'subversion: CVE-2014-8108' from 'subversion: CVE-2014-3580' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:51:06 GMT) (full text, mbox, link).

Marked as found in versions subversion/1.7.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:51:07 GMT) (full text, mbox, link).

No longer marked as found in versions subversion/1.5.1dfsg1-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:51:07 GMT) (full text, mbox, link).

No longer marked as found in versions subversion/1.6.17dfsg-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Dec 2014 18:51:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#773315; Package subversion. (Tue, 16 Dec 2014 19:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Tue, 16 Dec 2014 19:51:04 GMT) (full text, mbox, link).

Message #27 received at 773315@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 773315@bugs.debian.org
Subject: Re: Bug#773263: Additional CVE ID
Date: Tue, 16 Dec 2014 20:46:48 +0100
Hi,

On Tue, Dec 16, 2014 at 08:59:56AM +0100, Moritz Muehlenhoff wrote:
> Also http://subversion.apache.org/security/CVE-2014-8108-advisory.txt

Have cloned the bugreport to #773315, since versions affected for
CVE-2014-8108 are different.

Regards,
Salvatore

Added tag(s) pending. Request was from jamessan@users.alioth.debian.org to control@bugs.debian.org. (Wed, 17 Dec 2014 05:09:09 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Ivo De Decker <ivodd@debian.org> to control@bugs.debian.org. (Thu, 18 Dec 2014 06:57:04 GMT) (full text, mbox, link).

Reply sent to James McCoy <jamessan@debian.org>:
You have taken responsibility. (Fri, 19 Dec 2014 01:51:09 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 19 Dec 2014 01:51:09 GMT) (full text, mbox, link).

Message #36 received at 773315-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 773315-close@bugs.debian.org
Subject: Bug#773315: fixed in subversion 1.8.10-5
Date: Fri, 19 Dec 2014 01:49:12 +0000
Source: subversion
Source-Version: 1.8.10-5

We believe that the bug you reported is fixed in the latest version of
subversion, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773315@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated subversion package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 17 Dec 2014 00:11:03 -0500
Source: subversion
Binary: subversion subversion-dbg libsvn1 libsvn-dev libsvn-doc libapache2-mod-svn libapache2-svn python-subversion subversion-tools libsvn-java libsvn-perl ruby-svn libsvn-ruby1.8
Architecture: source all amd64
Version: 1.8.10-5
Distribution: unstable
Urgency: medium
Maintainer: James McCoy <jamessan@debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description:
 libapache2-mod-svn - Apache Subversion server modules for Apache httpd
 libapache2-svn - Apache Subversion server modules for Apache httpd (dummy package)
 libsvn-dev - Development files for Apache Subversion libraries
 libsvn-doc - Developer documentation for libsvn
 libsvn-java - Java bindings for Apache Subversion
 libsvn-perl - Perl bindings for Apache Subversion
 libsvn-ruby1.8 - Ruby bindings for Apache Subversion (dummy package)
 libsvn1    - Shared libraries used by Apache Subversion
 python-subversion - Python bindings for Apache Subversion
 ruby-svn   - Ruby bindings for Apache Subversion
 subversion - Advanced version control system
 subversion-dbg - Debug symbols for Apache Subversion
 subversion-tools - Assorted tools related to Apache Subversion
Closes: 773263 773315
Changes:
 subversion (1.8.10-5) unstable; urgency=medium
 .
   * patches/CVE-2014-8108: mod_dav_svn DoS vulnerability with invalid virtual
     transaction names  (Closes: #773315)
   * patches/CVE-2014-3580: mod_dav_svn DoS vulnerability with invalid REPORT
     requests (Closes: #773263)
Checksums-Sha1:
 70ca80fbfb606e077d137d824dcd6f06793f01d1 3101 subversion_1.8.10-5.dsc
 b5a4f3e2318af98ee10686efe26aa2010c2bbc9d 271647 subversion_1.8.10-5.diff.gz
 f057a9532fea5e701a057bba61612e766aa23ac0 1406758 libsvn-doc_1.8.10-5_all.deb
 326b5edd1d914bff7c7e29749e23e06f20d2b7d6 124840 libapache2-svn_1.8.10-5_all.deb
 fb1489effaa9d87f1d2ac4e9cdb5c8456ab5a924 1024 libsvn-ruby1.8_1.8.10-5_all.deb
 6b0d889ea6e41cb9689bdbdf37aaf4567520f62e 921024 subversion_1.8.10-5_amd64.deb
 6edc0a44b238facd293d5193b9f423a4bfd21e38 7827758 subversion-dbg_1.8.10-5_amd64.deb
 75bd170ee80a4a9334441624c40e8e1fe06fac0d 1076482 libsvn1_1.8.10-5_amd64.deb
 f67c85e8a80741330156e101899f3db76c25f50b 1214428 libsvn-dev_1.8.10-5_amd64.deb
 62c22c1a67cfb4e9576b3946434fbedd1053eda6 199298 libapache2-mod-svn_1.8.10-5_amd64.deb
 454ed8d55fb1528e021e03ac904419fadb45e872 649976 python-subversion_1.8.10-5_amd64.deb
 c5721f0c25e3d5398b0f51f63e43a118efd74776 321790 subversion-tools_1.8.10-5_amd64.deb
 b2abea53899b06f82f40f50f7ba49f28da98c1e4 351180 libsvn-java_1.8.10-5_amd64.deb
 7149b6ee93a7b802bd78f4cfc3c2aa670fc8d0be 936324 libsvn-perl_1.8.10-5_amd64.deb
 e4723efe629777fe5b9b1901415a38c89462d3dd 560954 ruby-svn_1.8.10-5_amd64.deb
Checksums-Sha256:
 fbe0e68ba549a66fd8e0d3bdacce69a3543ad460374a750c6a077668255e1216 3101 subversion_1.8.10-5.dsc
 d0d672e75eb6e4221dcee8ae629bdd8b2cc3931935594db81bf4f5369ffe9e74 271647 subversion_1.8.10-5.diff.gz
 08fb1f830559b920fecc6b539f3a6757dbbf10520c6854422ae27973e495b0cd 1406758 libsvn-doc_1.8.10-5_all.deb
 4ae3f4f93ee5255559df2993456018c790600bc52e52d62878d50f31d35566e5 124840 libapache2-svn_1.8.10-5_all.deb
 014e1688910042d708daefd8a173e700526096c6902e4224c6c93b08abeb1397 1024 libsvn-ruby1.8_1.8.10-5_all.deb
 a1a151b241c62c09004567a17018c90a15a7fe9cbf74fb874ad32e18dd999e0b 921024 subversion_1.8.10-5_amd64.deb
 acde0cbceebd8e21789a8d4fd24bb5595445e8b703eccc26e58393d745d2e644 7827758 subversion-dbg_1.8.10-5_amd64.deb
 d70763ce004894ab4e82c3822a44eb418935cf48c8a92f1e9773e416d33e0c94 1076482 libsvn1_1.8.10-5_amd64.deb
 4752d8d819cb83b82b2ed5b8ddc34af680c245fbca8d0728031057eb3ec7b23d 1214428 libsvn-dev_1.8.10-5_amd64.deb
 84eb797a4bd5d9768fe007799ea6c73f39e512869d359d92ec7218cc6bb286e4 199298 libapache2-mod-svn_1.8.10-5_amd64.deb
 b41c86e4b440d59a0ac2cd30f18a49ed39da1cef46ca9b7c5274646e197ee44e 649976 python-subversion_1.8.10-5_amd64.deb
 dcf7ebd79deacd86aeff5c8304069be3a45c25df36a1406fd390009351fd0eb9 321790 subversion-tools_1.8.10-5_amd64.deb
 718b71727242b4cd60fd1ea096b54581c8a59848d89c9905e9bd073b975ed385 351180 libsvn-java_1.8.10-5_amd64.deb
 50aa9792e2832c7d936bdd780b2d1684117f3d64666978160bc29762fb0c887f 936324 libsvn-perl_1.8.10-5_amd64.deb
 c2423c6b93fdb024fffd86192ad3d6a6a69c61d166f20eee7112200e8c1c15e7 560954 ruby-svn_1.8.10-5_amd64.deb
Files:
 f95bbd69d61650a15de374aa617c48cb 3101 vcs optional subversion_1.8.10-5.dsc
 e41209ff8e8eb73bd1fe951b35b7b4ec 271647 vcs optional subversion_1.8.10-5.diff.gz
 75a7b71e1fb8db23e00b07aecf7f776e 1406758 doc extra libsvn-doc_1.8.10-5_all.deb
 6b1155042f6a961b042c114446f44443 124840 oldlibs extra libapache2-svn_1.8.10-5_all.deb
 dada21ab947d3b7764b22e0d2b1b60b2 1024 oldlibs extra libsvn-ruby1.8_1.8.10-5_all.deb
 3cbe92dccb3453742c83fee2cf086a95 921024 vcs optional subversion_1.8.10-5_amd64.deb
 e58f5c6fd00d7fb20a601f4bfa4346f3 7827758 debug extra subversion-dbg_1.8.10-5_amd64.deb
 3d753e6d76e144ad30f0179b7ce97541 1076482 libs optional libsvn1_1.8.10-5_amd64.deb
 e22cc35112e22dc9d58c4f134926c34a 1214428 libdevel extra libsvn-dev_1.8.10-5_amd64.deb
 018a60cc4a8a6bb85e90b5adf28ed8ba 199298 httpd optional libapache2-mod-svn_1.8.10-5_amd64.deb
 93afae9c630bc39f89295e0d941122dd 649976 python optional python-subversion_1.8.10-5_amd64.deb
 1510ba53681de8872d8d0646267890fc 321790 vcs extra subversion-tools_1.8.10-5_amd64.deb
 c34ea139fb99f83a59f3cf897163dc8d 351180 java optional libsvn-java_1.8.10-5_amd64.deb
 d0eb0947540842ef5f13eba80ef89e1c 936324 perl optional libsvn-perl_1.8.10-5_amd64.deb
 d8cfac6a849b10f24c8dc455b43ff9a6 560954 ruby optional ruby-svn_1.8.10-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUk4BCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbtcMQAMOlrupxovi7QqLXA2t0xcJ/
W1DYcUUCRfwmJi8WEp5lSUWLcvZmkfqvX7IAAl2dR24rwnDBFWU4gok668pIZm6c
yeISuX659OXkmvyvqc/gqqQHBMO5IjyxG0svhjLEM49UBm02ipOz5CPiV93QV4mS
GbiMaICzjQJ4KsgsfImD0ugL7RX/KubqenmMt8KBzOh4eq99Q8DrBmcSO8NnrQnO
qKlJ8NxIMle+mpXx3ey3vUEQ3vfRrknCd7LyzF54OY2B+Aj3hyt80wyOnNAqPcZq
5UEUhxV/6kndHehRWSCn7yqP6HqLIHWQeSShJPDTWY6TVaE/drXl9P0J72hPsz9G
/8kYW2NILN+nZM75Lnf8pfL0Mb+/qX67+jvIyZADKm1EJ8/eufwzElmTCqqa0Xuz
jqArgg/bKbHj5K+9YXE0WtDV/pRJdJzJ2LkOvfOMayR5rdgHWuniG2PHREcZmSF6
UlefMQEXp3ZJ3zpf5L+uDaXLYoxvfmyhOGZOyf3+8wuc+2p/r2WoBFbnj56K+TjN
KGtBEtTUuSJs0/lXt4PyQ1lr2MOCixxBgofx049FD+35TZ5IfuoZM3IAb9sEpYGZ
Tip4ciVyWcROLMznWguuSyVxc/PtoPfobSsSWAhFsgpaH/LUcOahZpf9NKGpdVrV
PvaisT0rbODeCbDbpxfe
=YG7f
-----END PGP SIGNATURE-----

Marked as found in versions subversion/1.0.0-1. Request was from Samuel Bronson <naesten@gmail.com> to control@bugs.debian.org. (Sun, 01 Mar 2015 00:42:04 GMT) (full text, mbox, link).

No longer marked as found in versions subversion/1.0.0-1. Request was from Samuel Bronson <naesten@gmail.com> to control@bugs.debian.org. (Sun, 01 Mar 2015 00:42:09 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 26 Oct 2016 07:28:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:21:27 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started