Fixed vulnerabilities:
- CVE-2014-3580 (VulnLIB link) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn.
- CVE-2014-3528 (VulnLIB link) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm.
Affected releases:
- CentOS 6
Software description:
- subversion
Solution:
- Check VulnLIB for fixes for CVEs listed above and the source.
Source:
Wednesday, 11.02.2015
CentOS Errata and Security Advisory 2015:0165
Posted by Ali Elci
Ali Elci is an IT security specialist with more than 16 years of experience consulting for government and industry, an advocate for transparency and standardization in security reporting, and the founder of Ciproc GmbH.
VulnLIB Enterprise Auditor is a powerful and innovative tool that can provide a comprehensive, daily audit of missing security updates across an entire IT infrastructure accompanied by specific recommendations for patches and upgrades from software vendors.
more