U radu programskog paketa Subversion otkrivena su tri nova propusta koja mogu dovesti do rušenja ranjivog sustava te stjecanja povećanih ovlasti.
Paket:
Subversion 1.x
Operacijski sustavi:
Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04
Kritičnost:
4.8
Problem:
nepravilno rukovanje ovlastima
Iskorištavanje:
udaljeno
Posljedica:
dobivanje većih privilegija, uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-1752, CVE-2011-1783, CVE-2011-1921
Izvorni ID preporuke:
USN-1144-1
Izvor:
Ubuntu
Problem:
Problemi se javljaju u radu modula mod_dav_svn, točnije zbog nepravilnog rukovanja određenim zahtjevima i nepravilnog upravljanja kontrolom pristupa u određenim situacijama.
Posljedica:
Propusti se mogu iskoristiti za izvođenje DoS napada te za povećanje ovlati na ranjivom sustavu.
Rješenje:
Svim se korisnicima preporuča instalacija dostupnih programskih rješenja.
==========================================================================
Ubuntu Security Notice USN-1144-1
June 06, 2011
subversion vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send crafted input to the Subversion mod_dav_svn module
for Apache and cause it to crash or gain access to restricted files.
Software Description:
- subversion: Advanced version control system
Details:
Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain baselined WebDAV resource requests. A
remote attacker could use this flaw to cause the service to crash, leading
to a denial of service. (CVE-2011-1752)
Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain requests. A remote attacker could use this
flaw to cause the service to consume all available resources, leading to a
denial of service. (CVE-2011-1783)
Kamesh Jayachandran discovered that the Subversion mod_dav_svn module for
Apache did not properly handle access control in certain situations. A
remote user could use this flaw to gain access to files that would
otherwise be unreadable. (CVE-2011-1921)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libapache2-svn 1.6.12dfsg-4ubuntu2.1
Ubuntu 10.10:
libapache2-svn 1.6.12dfsg-1ubuntu1.3
Ubuntu 10.04 LTS:
libapache2-svn 1.6.6dfsg-2ubuntu1.3
After a standard system update you need to restart any applications that
use Subversion, such as Apache when using mod_dav_svn, to make all the
necessary changes.
References:
CVE-2011-1752, CVE-2011-1783, CVE-2011-1921
Package Information:
https://launchpad.net/ubuntu/+source/subversion/1.6.12dfsg-4ubuntu2.1
https://launchpad.net/ubuntu/+source/subversion/1.6.12dfsg-1ubuntu1.3
https://launchpad.net/ubuntu/+source/subversion/1.6.6dfsg-2ubuntu1.3
Posljednje sigurnosne preporuke