SB2013121729 - Amazon Linux AMI update for subversion

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013121729

SB2013121729 - Amazon Linux AMI update for subversion

Published: December 17, 2013

Security Bulletin ID SB2013121729
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4505)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.


2) Input validation error (CVE-ID: CVE-2013-4558)

The vulnerability allows a remote #AU# to perform service disruption.

The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.


Remediation

Install update from vendor's website.

References