[ GLSA 201610-05 ] Subversion, Serf

[GLSA]

Gentoo Linux Security Advisory

Title: Subversion, Serf: Multiple Vulnerabilities (GLSA 201610-05)
Severity: normal
Exploitable: remote
Date: October 11, 2016
Bug(s): #500482, #518716, #519202, #545348, #556076, #567810, #581448, #586046
ID: 201610-05

Synopsis

Multiple vulnerabilities have been found in Subversion and Serf,
the worst of which could lead to execution of arbitrary code.


Background

Subversion is a version control system intended to eventually replace
CVS. Like CVS, it has an optional client-server architecture (where the
server can be an Apache server running mod_svn, or an ssh program as in
CVS’s :ext: method). In addition to supporting the features found in
CVS, Subversion also provides support for moving and copying files and
directories.
The serf library is a high performance C-based HTTP client library built
upon the Apache Portable Runtime (APR) library.


Affected Packages

Package: dev-vcs/subversion
Vulnerable: < 1.9.4
Unaffected: >= 1.9.4
Unaffected: > 1.8.16 < 1.8.17
Architectures: All supported architectures

Package: net-libs/serf
Vulnerable: < 1.3.7
Unaffected: >= 1.3.7
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in Subversion and Serf.
Please review the CVE identifiers referenced below for details


Impact

A remote attacker could possibly execute arbitrary code with the
privileges of the process, conduct a man-in-the-middle attack, obtain
sensitive information, or cause a Denial of Service Condition.


Workaround

There is no known workaround at this time.

Resolution

All Subversion users should upgrade to the latest version: