English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Apache Subversion mod_dav_svn Two Denial of Service Vulnerabilities


Secunia ID

SA44681

CVE-ID

CVE-2011-1752, CVE-2011-1783, CVE-2011-1921

Release Date

02 Jun 2011

Criticality

Moderately Critical

Solution Status

Vendor Patch

Software

Apache Subversion 1.x

Where

From remote

Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

Description

Two vulnerabilities have been reported in Apache Subversion, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) A NULL pointer dereference error in the mod_dav_svn module when processing baselined resource requests can be exploited to cause a crash.

This vulnerability is reported in versions 1.6.16 and prior.

2) An error within the mod_dav_svn module when handling certain path-based access control rules can be exploited to trigger an infinite loop and exhaust memory.

This vulnerability is reported in versions 1.5.0 through 1.6.16.

NOTE: A weakness in the handling of path-based access control rules, which could result in certain unreadable files and directories becoming readable has also been reported.

Solution

Update to version 1.6.17.

Reported by

1) Reported by the vendor
2) The vendor credits Ivan Zhakov, VisualSVN.

Original Advisory

http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt