Security update for subversion SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2183-1 Final 1 1 2017-08-16T18:10:05Z current 2017-08-16T18:10:05Z 2017-08-16T18:10:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for subversion This update for subversion to 1.9.7 fixes security issues and bugs. The following vulnerabilities were fixed: - CVE-2017-9800: A remote attacker could have caused svn clients to execute arbitrary code via specially crafted URLs in svn:externals and svn:sync-from-url properties. (boo#1051362) - CVE-2005-4900: SHA-1 collisions may cause repository inconsistencies (boo#1026936) The following bugfix changes are included: - Add instructions for running svnserve as a user different from 'svn', and remove sysconfig variables that are no longer effective with the systemd unit. (boo#1049448) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00052.html E-Mail link for openSUSE-SU-2017:2183-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libsvn_auth_gnome_keyring-1-0-1.9.7-8.1 libsvn_auth_kwallet-1-0-1.9.7-8.1 subversion-1.9.7-8.1 subversion-bash-completion-1.9.7-8.1 subversion-devel-1.9.7-8.1 subversion-perl-1.9.7-8.1 subversion-python-1.9.7-8.1 subversion-python-ctypes-1.9.7-8.1 subversion-ruby-1.9.7-8.1 subversion-server-1.9.7-8.1 subversion-tools-1.9.7-8.1 libsvn_auth_gnome_keyring-1-0-1.9.7-8.1 as a component of openSUSE Leap 42.2 libsvn_auth_kwallet-1-0-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-bash-completion-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-devel-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-perl-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-python-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-python-ctypes-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-ruby-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-server-1.9.7-8.1 as a component of openSUSE Leap 42.2 subversion-tools-1.9.7-8.1 as a component of openSUSE Leap 42.2 libsvn_auth_gnome_keyring-1-0-1.9.7-8.1 as a component of openSUSE Leap 42.3 libsvn_auth_kwallet-1-0-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-bash-completion-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-devel-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-perl-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-python-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-python-ctypes-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-ruby-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-server-1.9.7-8.1 as a component of openSUSE Leap 42.3 subversion-tools-1.9.7-8.1 as a component of openSUSE Leap 42.3 A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. CVE-2017-9800 openSUSE Leap 42.2:libsvn_auth_gnome_keyring-1-0-1.9.7-8.1 openSUSE Leap 42.2:libsvn_auth_kwallet-1-0-1.9.7-8.1 openSUSE Leap 42.2:subversion-1.9.7-8.1 openSUSE Leap 42.2:subversion-bash-completion-1.9.7-8.1 openSUSE Leap 42.2:subversion-devel-1.9.7-8.1 openSUSE Leap 42.2:subversion-perl-1.9.7-8.1 openSUSE Leap 42.2:subversion-python-1.9.7-8.1 openSUSE Leap 42.2:subversion-python-ctypes-1.9.7-8.1 openSUSE Leap 42.2:subversion-ruby-1.9.7-8.1 openSUSE Leap 42.2:subversion-server-1.9.7-8.1 openSUSE Leap 42.2:subversion-tools-1.9.7-8.1 openSUSE Leap 42.3:libsvn_auth_gnome_keyring-1-0-1.9.7-8.1 openSUSE Leap 42.3:libsvn_auth_kwallet-1-0-1.9.7-8.1 openSUSE Leap 42.3:subversion-1.9.7-8.1 openSUSE Leap 42.3:subversion-bash-completion-1.9.7-8.1 openSUSE Leap 42.3:subversion-devel-1.9.7-8.1 openSUSE Leap 42.3:subversion-perl-1.9.7-8.1 openSUSE Leap 42.3:subversion-python-1.9.7-8.1 openSUSE Leap 42.3:subversion-python-ctypes-1.9.7-8.1 openSUSE Leap 42.3:subversion-ruby-1.9.7-8.1 openSUSE Leap 42.3:subversion-server-1.9.7-8.1 openSUSE Leap 42.3:subversion-tools-1.9.7-8.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00052.html https://www.suse.com/security/cve/CVE-2017-9800.html CVE-2017-9800 https://bugzilla.suse.com/1051362 SUSE Bug 1051362 https://bugzilla.suse.com/1052481 SUSE Bug 1052481 https://bugzilla.suse.com/1052696 SUSE Bug 1052696 https://bugzilla.suse.com/1052932 SUSE Bug 1052932 https://bugzilla.suse.com/1053364 SUSE Bug 1053364 https://bugzilla.suse.com/1066430 SUSE Bug 1066430 https://bugzilla.suse.com/1071709 SUSE Bug 1071709 https://bugzilla.suse.com/1128150 SUSE Bug 1128150