CVE-2013-4558: Input Validation
First published: Fri Nov 22 2013(Updated: )
A flaw was found in the way mod_dav_svn handled certain requests when SVNAutoversioning (in "/etc/httpd/conf.d/subversion.conf", for example) was enabled. If an attacker with commit access to a repository sent a request containing a crafted URL, it would cause the httpd process serving the request to crash. This issue affected Subversion versions 1.7.11 to 1.7.13, and 1.8.1 to 1.8.4. It has been corrected in versions 1.7.14 and 1.8.5. This issue does not affect the versions of Subversion in Red Hat Enterprise Linux 5 and 6. Acknowledgements: Red Hat would like to thank the Apache Subversion project for reporting this issue. Upstream acknowledges Philip Martin as the original reporter.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/subversion | <1.7.14 | 1.7.14 |
| redhat/subversion | <1.8.5 | 1.8.5 |
| Apache Mod Dav Svn | ||
| Apache Subversion | =1.7.11 | |
| Apache Subversion | =1.7.12 | |
| Apache Subversion | =1.7.13 | |
| Apache Subversion | =1.8.1 | |
| Apache Subversion | =1.8.2 | |
| Apache Subversion | =1.8.3 | |
| Apache Subversion | =1.8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://subversion.apache.org/security/CVE-2013-4558-advisory.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1034377
- https://bugzilla.redhat.com/show_bug.cgi?id=1033431
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html
- http://osvdb.org/100363
- https://github.com/apache/subversion/commit/2c77c43e4255555f3b79f761f0d141393a3856cc
- https://github.com/apache/subversion/commit/647e3f8365a74831bb915f63793b63e31fae062d
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4558
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache mod dav svn
- canonical/apache subversion
- version/apache subversion/1.7.11
- version/apache subversion/1.7.12
- version/apache subversion/1.7.13
- version/apache subversion/1.8.1
- version/apache subversion/1.8.2
- version/apache subversion/1.8.3
- version/apache subversion/1.8.4
- package-manager/redhat