SB2014122303 - Information disclosure in subversion (Alpine package)
Published: December 23, 2014
Security Bulletin ID
SB2014122303
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2015-3184)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0dcd40e1169ccbe718afc882b63f7994da1f7786
- https://git.alpinelinux.org/aports/commit/?id=7779fcf1a7d75dbd157759549684a0697a8097bb
- https://git.alpinelinux.org/aports/commit/?id=0e91c74ab427bc20c21aaa5007aa1f70373c5b34
- https://git.alpinelinux.org/aports/commit/?id=dbf7ad7ac8d89ea5a3ddf2219e4507de9e1ee50b