1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
Candidate: CVE-2013-4277
PublicDate: 2013-09-16
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4277
http://subversion.apache.org/security/CVE-2013-4277-advisory.txt
http://xforce.iss.net/xforce/xfdb/86972
Description:
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1
allows local users to overwrite arbitrary files or kill arbitrary processes
via a symlink attack on the file specified by the --pid-file option.
Ubuntu-Description:
Notes:
mdeslaur> pid file is not created by default on Ubuntu. This is only an
mdeslaur> issue if someone specifies a pid file in an insecure location.
mdeslaur> as such, we will not be fixing this.
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721542
Priority: low
Discovered-by: Daniel Shahaf
Assigned-to: mdeslaur
Patches_subversion:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1516558 (1.7.x)
upstream_subversion: released (1.8.3,1.7.13)
lucid_subversion: ignored (reached end-of-life)
precise_subversion: ignored
quantal_subversion: ignored (reached end-of-life)
raring_subversion: ignored (reached end-of-life)
saucy_subversion: ignored (reached end-of-life)
trusty_subversion: not-affected (1.7.13-2ubuntu2)
devel_subversion: not-affected (1.7.13-2ubuntu2)
|