|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200409-35] Subversion: Metadata information leak Vulnerability Scan
Vulnerability Scan Summary Subversion: Metadata information leak
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200409-35
(Subversion: Metadata information leak)
There is a bug in mod_authz_svn that causes it to reveal logged metadata
regarding commits to protected areas.
Impact
Protected files themselves will not be revealed, but a possible hacker could use
the metadata to reveal the existence of protected areas, such as paths,
file versions, and the commit logs from those areas.
Workaround
Rather than using mod_authz_svn, move protected areas into seperate
repositories and use native Apache authentication to make these
repositories unreadable.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0749
http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt
Solution:
All Subversion users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=dev-util/subversion-1.0.8"
# emerge ">=dev-util/subversion-1.0.8"
Threat Level: Low
Click HERE for more information and discussions on this network vulnerability scan.
|