SB2013041110 - Amazon Linux AMI update for subversion

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2013-1845)

The vulnerability allows a remote #AU# to perform service disruption.

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html "Affected Products: openSUSE 12.3 openSUSE 12.2 openSUSE 12.1"

2) Input validation error (CVE-ID: CVE-2013-1846)

The vulnerability allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL.

3) Input validation error (CVE-ID: CVE-2013-1847)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist.

4) Input validation error (CVE-ID: CVE-2013-1849)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/ALAS-2013-180.html