SB2014122304 - Information disclosure in subversion (Alpine package)
Published: December 23, 2014
Security Bulletin ID
SB2014122304
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2015-3187)
The vulnerability allows a remote #AU# to gain access to sensitive information.
The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0dcd40e1169ccbe718afc882b63f7994da1f7786
- https://git.alpinelinux.org/aports/commit/?id=7779fcf1a7d75dbd157759549684a0697a8097bb
- https://git.alpinelinux.org/aports/commit/?id=0e91c74ab427bc20c21aaa5007aa1f70373c5b34
- https://git.alpinelinux.org/aports/commit/?id=dbf7ad7ac8d89ea5a3ddf2219e4507de9e1ee50b