Main Vulnerability Database SB2015092510

SB2015092510 - Fedora 22 update for subversion

Published: September 25, 2015 Updated: April 24, 2025

Security Bulletin ID SB2015092510

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2015-3184)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.

2) Information disclosure (CVE-ID: CVE-2015-3187)

The vulnerability allows a remote #AU# to gain access to sensitive information.

The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2015-be2c11d456