[Bug 1915698] Re: Apache Subversion "mod_authz_svn" Denial of Service Vulnerability

Tue Mar 30 12:06:12 UTC 2021

I am in the same situation. We should probably try to understand the
wiki page that Seth linked to but I have yet to find the time to
understand all the Ubuntu-specifics.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subversion in Ubuntu.
https://bugs.launchpad.net/bugs/1915698

Title:
  Apache Subversion "mod_authz_svn" Denial of Service Vulnerability

Status in subversion package in Ubuntu:
  Confirmed

Bug description:
  An error in the mod_authz_svn module can be exploited to trigger a
  NULL pointer dereference and subsequently cause a crash via a
  specially crafted request.

  Successful exploitation of this vulnerability requires the Apache
  HTTPD server to be configured to use an in-repository authz file with
  certain configuration directives (please see the vendor's advisory for
  further details).

  The vulnerability is reported in versions 1.9.0 through 1.10.6 and
  1.11.0 through 1.14.0.

  Affected Software

  The following software is affected by the described vulnerability.
  Please check the vendor links below to see if exactly your version is
  affected.

  Apache Subversion 1.x

  Solution

  Update to version 1.14.1 or 1.10.7.

  References

  1. https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
  <https://subversion.apache.org/security/CVE-2020-17525-advisory.txt>

  Please take appropriate measures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1915698/+subscriptions