Security update for subversion SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2200-1 Final 1 1 2017-08-17T06:38:37Z current 2017-08-17T06:38:37Z 2017-08-17T06:38:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for subversion This update for subversion fixes the following issues: - CVE-2017-9800: A malicious, compromised server or MITM may cause svn client to execute arbitrary commands by sending repository content with svn:externals definitions pointing to crafted svn+ssh URLs. (bsc#1051362) - Malicious user may commit SHA-1 collisions and cause repository inconsistencies (bsc#1026936) - CVE-2016-8734: Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// could lead to denial of service (bsc#1011552) - CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm (bsc#976849) - CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check (bsc#976850) - mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (bsc#977424) - make the subversion package conflict with KWallet and Gnome Keyring packages with do not require matching subversion versions in SLE 12 and openSUSE Leap 42.1 and thus break the main package upon partial upgrade. (bsc#969159) - CVE-2015-5343: Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. (bsc#958300) - Avoid recommending 180+ new pkgs for installation on minimal setup due subversion-password-store (bsc#942819) - CVE-2015-3184: mod_authz_svn: mixed anonymous/authenticated httpd (dav) configurations could lead to information leak (bsc#939514) - CVE-2015-3187: do not leak paths that were hidden by path-based authz (bsc#939517) - CVE-2015-0202: Subversion HTTP servers with FSFS repositories were vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. (bsc#923793) - CVE-2015-0248: Subversion mod_dav_svn and svnserve were vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. (bsc#923794) - CVE-2015-0251: Subversion HTTP servers allow spoofing svn:author property values for new revisions (bsc#923795) - fix sample configuration comments in subversion.conf (bsc#916286) - fix sysconfig file generation (bsc#911620) - CVE-2014-3580: mod_dav_svn invalid REPORT requests could lead to denial of service (bsc#909935) - CVE-2014-8108: mod_dav_svn use of invalid transaction names could lead to denial of service (bsc#909935) - INSTALL#SQLite says 'Subversion 1.8 requires SQLite version 3.7.12 or above'; therefore I lowered the sqlite requirement to make the subversion run on older system versions, tooi. [bsc#897033] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SDK-12-SP2-2017-1340,SUSE-SLE-SDK-12-SP3-2017-1340 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ Link for SUSE-SU-2017:2200-1 https://lists.suse.com/pipermail/sle-security-updates/2017-August/003142.html E-Mail link for SUSE-SU-2017:2200-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1011552 SUSE Bug 1011552 https://bugzilla.suse.com/1026936 SUSE Bug 1026936 https://bugzilla.suse.com/1051362 SUSE Bug 1051362 https://bugzilla.suse.com/897033 SUSE Bug 897033 https://bugzilla.suse.com/909935 SUSE Bug 909935 https://bugzilla.suse.com/911620 SUSE Bug 911620 https://bugzilla.suse.com/916286 SUSE Bug 916286 https://bugzilla.suse.com/923793 SUSE Bug 923793 https://bugzilla.suse.com/923794 SUSE Bug 923794 https://bugzilla.suse.com/923795 SUSE Bug 923795 https://bugzilla.suse.com/939514 SUSE Bug 939514 https://bugzilla.suse.com/939517 SUSE Bug 939517 https://bugzilla.suse.com/942819 SUSE Bug 942819 https://bugzilla.suse.com/958300 SUSE Bug 958300 https://bugzilla.suse.com/969159 SUSE Bug 969159 https://bugzilla.suse.com/976849 SUSE Bug 976849 https://bugzilla.suse.com/976850 SUSE Bug 976850 https://bugzilla.suse.com/977424 SUSE Bug 977424 https://bugzilla.suse.com/983938 SUSE Bug 983938 https://www.suse.com/security/cve/CVE-2014-3580/ SUSE CVE CVE-2014-3580 page https://www.suse.com/security/cve/CVE-2014-8108/ SUSE CVE CVE-2014-8108 page https://www.suse.com/security/cve/CVE-2015-0202/ SUSE CVE CVE-2015-0202 page https://www.suse.com/security/cve/CVE-2015-0248/ SUSE CVE CVE-2015-0248 page https://www.suse.com/security/cve/CVE-2015-0251/ SUSE CVE CVE-2015-0251 page https://www.suse.com/security/cve/CVE-2015-3184/ SUSE CVE CVE-2015-3184 page https://www.suse.com/security/cve/CVE-2015-3187/ SUSE CVE CVE-2015-3187 page https://www.suse.com/security/cve/CVE-2015-5343/ SUSE CVE CVE-2015-5343 page https://www.suse.com/security/cve/CVE-2016-2167/ SUSE CVE CVE-2016-2167 page https://www.suse.com/security/cve/CVE-2016-2168/ SUSE CVE CVE-2016-2168 page https://www.suse.com/security/cve/CVE-2016-8734/ SUSE CVE CVE-2016-8734 page https://www.suse.com/security/cve/CVE-2017-9800/ SUSE CVE CVE-2017-9800 page SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 subversion-1.8.19-25.3.1 subversion-bash-completion-1.8.19-25.3.1 subversion-devel-1.8.19-25.3.1 subversion-perl-1.8.19-25.3.1 subversion-python-1.8.19-25.3.1 subversion-server-1.8.19-25.3.1 subversion-tools-1.8.19-25.3.1 libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-bash-completion-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-devel-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-perl-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-python-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-server-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 subversion-tools-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-bash-completion-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-devel-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-perl-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-python-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-server-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 subversion-tools-1.8.19-25.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. CVE-2014-3580 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2014-3580.html CVE-2014-3580 https://bugzilla.suse.com/909935 SUSE Bug 909935 https://bugzilla.suse.com/910376 SUSE Bug 910376 The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. CVE-2014-8108 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2014-8108.html CVE-2014-8108 https://bugzilla.suse.com/909935 SUSE Bug 909935 The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. CVE-2015-0202 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-0202.html CVE-2015-0202 https://bugzilla.suse.com/923793 SUSE Bug 923793 The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. CVE-2015-0248 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-0248.html CVE-2015-0248 https://bugzilla.suse.com/923794 SUSE Bug 923794 The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. CVE-2015-0251 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 low 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-0251.html CVE-2015-0251 https://bugzilla.suse.com/923795 SUSE Bug 923795 mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name. CVE-2015-3184 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-3184.html CVE-2015-3184 https://bugzilla.suse.com/938723 SUSE Bug 938723 https://bugzilla.suse.com/939514 SUSE Bug 939514 https://bugzilla.suse.com/939516 SUSE Bug 939516 The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. CVE-2015-3187 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 low 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-3187.html CVE-2015-3187 https://bugzilla.suse.com/939517 SUSE Bug 939517 Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow. CVE-2015-5343 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 important 8 AV:N/AC:L/Au:S/C:P/I:P/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2015-5343.html CVE-2015-5343 https://bugzilla.suse.com/958300 SUSE Bug 958300 The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. CVE-2016-2167 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 low 3.6 AV:N/AC:H/Au:S/C:P/I:P/A:N 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2016-2167.html CVE-2016-2167 https://bugzilla.suse.com/976849 SUSE Bug 976849 The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. CVE-2016-2168 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 moderate 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2016-2168.html CVE-2016-2168 https://bugzilla.suse.com/976850 SUSE Bug 976850 Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory. CVE-2016-8734 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 low 3.5 AV:N/AC:M/Au:S/C:N/I:N/A:P 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2016-8734.html CVE-2016-8734 https://bugzilla.suse.com/1011552 SUSE Bug 1011552 A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. CVE-2017-9800 SUSE Linux Enterprise Software Development Kit 12 SP2:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:subversion-tools-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:libsvn_auth_gnome_keyring-1-0-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-bash-completion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-devel-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-perl-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-python-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-server-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:subversion-tools-1.8.19-25.3.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172200-1/ https://www.suse.com/security/cve/CVE-2017-9800.html CVE-2017-9800 https://bugzilla.suse.com/1051362 SUSE Bug 1051362 https://bugzilla.suse.com/1052481 SUSE Bug 1052481 https://bugzilla.suse.com/1052696 SUSE Bug 1052696 https://bugzilla.suse.com/1052932 SUSE Bug 1052932 https://bugzilla.suse.com/1053364 SUSE Bug 1053364 https://bugzilla.suse.com/1054653 SUSE Bug 1054653 https://bugzilla.suse.com/1066430 SUSE Bug 1066430 https://bugzilla.suse.com/1071709 SUSE Bug 1071709 https://bugzilla.suse.com/1128150 SUSE Bug 1128150