subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Parrish Knight <parrish.kni...@noaa.gov>
Subject Re: Subversion upgrade problem
Date Mon, 22 Oct 2012 13:55:33 GMT
On Mon, Oct 22, 2012 at 9:47 AM, Stefan Sperling <stsp@elego.de> wrote:
> If he can reproduce this problem even with patches applied, please
> ask him to report this as a new security issue with a reproduction
> recipe included. Please see
> http://subversion.apache.org/docs/community-guide/issues.html#security
> for details on reporting security issues.

I'll pass that information along to him as soon as we're reasonably
certain that it's an actual issue.  As you say, there are still a few
other things to check, especially inasmuch as the help desk
technicians here at NGS are not particularly familiar with open-source
software.

> Are you sure the Subversion upgrade was done properly?

I used Control Panel to uninstall the previous version, then I
downloaded and unZIPped the most current version.  Is there anythin I
may have overlooked?

> Maybe the server
> is still using a vulnerable version of libsvn_delta by accident?

How do I check for that?  (I am unfamiliar with this software because
I am not a developer.  Please be patient with me... thanks.)

> How are you testing for this vulnerability?

Our security officer runs a scan remotely to locate risks.  I am
uncertain which tool(s) he uses for this purpose.  If you think it may
be pertinent, I can ask him.  Are you thinking it might be a false
positive?

> As far as I know an exploit
> was circulated privately among developers for testing purposes but was
> never made public. Did you write a new exploit or do you happen to have
> a repository data set that triggers the problem reliably?

The NGS is a pretty small agency.  I am uncertain as to the exact
number of Subversion users here, but it's going to be very small --
it's even possible that my current customer is the only one.

> Please do not post reproduction recipes for security issues to this
> list -- it is publicly archived. Instead, feel free to continue this
> conversation via channels documented at
> http://subversion.apache.org/docs/community-guide/issues.html#security
> if you have some sort of sensitive data to share with us. Thanks.

Understood.

-- 
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight@noaa.gov

Mime
View raw message