Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1855-1] New subversion packages fix arbitrary code exec

From Florian Weimer@1:229/2 to All on Sat Aug 8 21:10:13 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1855-1 [email protected] http://www.debian.org/security/ Florian Weimer
August 08, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : subversion
Vulnerability : heap overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2411

Matt Lewis discovered that Subversion performs insufficient input
validation of svndiff streams. Malicious servers could cause heap
overflows in clients, and malicious clients with commit access could
cause heap overflows in servers, possibly leading to arbitrary code
execution in both cases.

For the old stable distribution (etch), this problem has been fixed in
version 1.4.2dfsg1-3.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.1dfsg1-4.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.4dfsg-1.

We recommend that you upgrade your Subversion packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1-3.dsc
Size/MD5 checksum: 1239 25a6cb426cc19c01b2624b18c6700199
http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1.orig.tar.gz
Size/MD5 checksum: 6436039 2f9d9b879712cb4311bf1c0475c8352a
http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1-3.diff.gz
Size/MD5 checksum: 78736 48644a3285742e4748c0e1084c917ad9

Architecture independent packages:

http://security.debian.org/pool/updates/main/s/subversion/libsvn-javahl_1.4.2dfsg1-3_all.deb
Size/MD5 checksum: 772 ff64aa4707285e81e3b45af393f0c3e8
http://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby_1.4.2dfsg1-3_all.deb
Size/MD5 checksum: 740 359639249bdcd3a19cca78a81213d1fd
http://security.debian.org/pool/updates/main/s/subversion/libsvn-doc_1.4.2dfsg1-3_all.deb
Size/MD5 checksum: 1122274 61466d787127aa62206a793efeb750d7
http://security.debian.org/pool/updates/main/s/subversion/subversion-tools_1.4.2dfsg1-3_all.deb
Size/MD5 checksum: 167146 d292bfa1282b23f19727e9b8ce4ce1f6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 883990 8233bdc6213c5ebd5bf5e6218ef276ca
http://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 217892 4f2601cf4b739173001f433eebed89bb
http://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 1189154 00c723649fc07d06da5f0280c2dd9ead
http://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 409460 df60a17d1b0dcb73f384bb213f706816
http://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 678702 1806fb8095946933169bea4ad69d3f91
http://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 140648 a2eef6afdd09d33c896545238d6a54a0
http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 1042522 fc6280863fae7a66ac2f157626faba53
http://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.4.2dfsg1-3_alpha.deb
Size/MD5 checksum: 578952 db8e9003939c97064bf6a96295389095

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 1037630 56f5da65a5144ed2edfea115b140cedc
http://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 136802 d0791f1899c433412aaf9541c078bf13
http://security.debian.org/pool/updates/main/s/subversion/libsvn-java_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 212858 efd32dcfe057c63507aee3fe08169a86
http://security.debian.org/pool/updates/main/s/subversion/python-subversion_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 587452 6df960fb1c59fcc5bdc5680d6457372a
http://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 428478 6d35545cc83c3428af89dbf0148ab499
http://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 641782 99887d5a89909e282f23737d8bdbd0fa
http://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 921044 8875c8b063aeed4a264f1e72eb1fb073
http://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.4.2dfsg1-3_amd64.deb
Size/MD5 checksum: 857172 00d43b973b87179acdffd74a16b82b40

arm architecture (ARM)

http://security.debian.org/pool/updates/main/s/subversion/libsvn-ruby1.8_1.4.2dfsg1-3_arm.deb
Size/MD5 checksum: 375194 61f947130dfb53f6702cd8e6f8e58599
http://security.debian.org/pool/updates/main/s/subversion/subversion_1.4.2dfsg1-3_arm.deb
Size/MD5 checksum: 1023430 e6b76696846d56e9cc3e83150e128671
http://security.debian.org/pool/updates/main/s/subversion/libapache2-svn_1.4.2dfsg1-3_arm.deb
Size/MD5 checksum: 130542 f5a4678a70b798c1bf2a9846f0edf069
http://security.debian.org/pool/updates/main/s/subversion/libsvn1_1.4.2dfsg1-3_arm.deb
Size/MD5 checksum: 566412 3648b98683375160685fe2aee9ebf4c6
http://security.debian.org/pool/updates/main/s/subversion/libsvn-dev_1.4.2dfsg1-3_arm.deb
Size/MD5 checksum: 818556 2bd5048d6f56f009dd672ac7aa5554e4
http://security.debian.org/pool/updates/main/s/subversion/libsvn-perl_1.4.2dfsg1-3_arm.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Centurion
  Mon Jun 8 23:30:43 2026
  from Berea, Ohio via Telnet
- Centurion
  Mon Jun 8 21:33:11 2026
  from Berea, Ohio via Telnet
- Bob Worm
  Mon Jun 8 20:15:00 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 16:33:22 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 14:11:46 2026
  from Wales, Uk via Telnet
- Krenn
  Mon Jun 8 11:22:02 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Mon Jun 8 08:26:26 2026
  from Wales, Uk via Telnet
- Spearb0y
  Mon Jun 8 06:51:02 2026
  from Massachusetts via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	31:42:48
Calls:	12,109
Calls today:	9
Files:	15,006
Messages:	6,518,274

[SECURITY] [DSA 1855-1] New subversion packages fix arbitrary code exec

Who's Online

Recent Visitors

System Info