Apache Subversion官网安全更新（2021-02-10）

Remote unauthenticated denial-of-service in mod_authz_svn.

<br/> Remote unauthenticated denial-of-service in Subversion mod_authz_svn.<br/><br/>Summary:<br/>========<br/><br/> Subversion&#39;s mod_authz_svn module will crash if the server is using<br/> in-repository authz rules with the AuthzSVNReposRelativeAccessFile<br/> option and a client sends a request for a non-existing repository URL.<br/><br/> This can lead to disruption for users of the service.<br/><br/>Known vulnerable:<br/>=================<br/><br/> mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive).<br/> mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive).<br/><br/>Known fixed:<br/>============<br/><br/> mod_dav_svn+mod_authz_svn servers 1.14.1<br/> mod_dav_svn+mod_authz_svn servers 1.10.7<br/><br/>Details:<br/>========<br/><br/> A null-pointer-dereference has been found in mod_authz_svn that results in<br/> a remote unauthenticated Denial-of-Service in some server configurations.<br/><br/> The vulnerability can be triggered by an unauthenticated user if the<br/> Apache HTTPD server is configured to use an in-repository authz file,<br/> with configuration directives such as:<br/><br/> AuthzSVNAccessFile &#34;^/authz&#34;<br/> AuthzSVNReposRelativeAccessFile &#34;^/authz&#34;<br/><br/> The problem originates when sending a GET request to a non-existent<br/> repository. The mod_authz_svn module will attempt to find authz rules<br/> at a path within the requested SVN repository. Upon constructing this<br/> path, the function svn_repos_find_root_path will return a NULL pointer<br/> since the requested repository does not exist on-disk.<br/> A check for this legitimate NULL pointer condition is missing, which<br/> results in a segmentation fault when the NULL pointer is used.<br/><br/> The in-repository authz feature was first introduced in Subversion 1.8:<br/> https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz<br/><br/> The missing NULL check was first introduced during refactoring of the<br/> authz code during development work leading up to Subversion 1.9.<br/> Subversion 1.8 servers are unaffected.<br/><br/>Severity:<br/>=========<br/><br/> CVSSv3 Base Score: 7.5 (High)<br/><br/> CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H<br/><br/> Exploitation results in denial of service by crashing the HTTPD worker<br/> handling the request. The impact of this differs depending on how the<br/> Apache HTTPD server is configured, including the choice of MPM (Multi-<br/> Processing-Module). If the worker shares its memory address space with<br/> the main thread, as is the case with e.g. the Event MPM, the entire<br/> HTTPD server process will terminate. If the pre-fork MPM is used, the<br/> worker will terminate but the HTTPD server will stay up, and service<br/> availability will depend on how frequently the attacker is able to<br/> send malicious requests which target the vulnerability.<br/><br/>Recommendations:<br/>================<br/><br/> We recommend all users to upgrade to a known fixed release of the<br/> Subversion mod_dav_svn server.<br/><br/> Users who are unable to upgrade may apply the included patches.<br/><br/> As a workaround, the use of in-repository authz rules files with<br/> the AuthzSVNReposRelativeAccessFile can be avoided by switching<br/> to an alternative configuration which fetches an authz rules file<br/> from the server&#39;s filesystem, rather than from an SVN repository.<br/><br/>References:<br/>===========<br/><br/> CVE-2020-17525 (Subversion)<br/><br/>Reported by:<br/>============<br/><br/> Thomas Åkesson, simonsoft.se<br/><br/>Patches:<br/>========<br/><br/> Patch for Subversion 1.10, 1.14:<br/><br/>[[[<br/>Index: subversion/libsvn_repos/config_file.c<br/>===================================================================<br/>--- subversion/libsvn_repos/config_file.c (revision 1883994)<br/>+++ subversion/libsvn_repos/config_file.c (working copy)<br/>@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,<br/> {<br/> /* Search for a repository in the full path. */<br/> repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);<br/>+ if (repos_root_dirent == NULL)<br/>+ return svn_error_trace(handle_missing_file(stream, checksum, access,<br/>+ url, must_exist,<br/>+ svn_node_none));<br/> <br/> /* Attempt to open a repository at repos_root_dirent. */<br/> SVN_ERR(svn_repos_open3(&amp;access-&gt;repos, repos_root_dirent, NULL,<br/>]]]<br/>

Subversion是一个开源版本控制系统

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17525">CVE-2020-17525</a></p>

暂无

暂无

https://subversion.apache.org/security/CVE-2020-17525-advisory.txt