ALAS2023-2023-011 --- subversionID: oval:org.secpod.oval:def:19500104 | Date: (C)2023-06-12 (M)2023-12-26 |
Class: PATCH | Family: unix |
A flaw was found in Subversion. When using path-based authorization , the helper function detect_changed does not omit potentially sensitive information from log messages. In particular, if a node is copied from a protected location, its copyfrom path is reported even when omission should occur. A use-after-free vulnerability was found in Subversion in the mod_dav_svn Apache HTTP server module. While looking up path-based authorization rules, multiple calls to the post_config hook can invalidate cached pointers to object-pools, which Subversion subsequently uses. This issue crashes the single HTTPd worker thread or the entire HTTPd server process, depending on the configuration of the Apache HTTPd server
Platform: |
Amazon Linux 2023 |
Product: |
subversion |
python3-subversion |