In association with heise online

04 March 2011, 15:15

Subversion 1.6.16 blocks a denial of service issue

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Subversion developers have released version 1.6.16 which includes, in addition to a selection of bug fixes and stability enhancements, a fix that prevents the exploitation of a remotely triggerable denial of service. The DoS problem affects Subversion servers up to and including version 1.5.9 and 1.6.15. They are vulnerable to a null pointer being dereferenced when an unauthenticated user attempts to lock a file.

This will crash the server – typically the process will be automatically restarted, but a "determined attacker will be able to crash these processes as they appear". According to the report, an exploit has been demonstrated that makes use of the flaw. The stand-alone svnserve is not affected by the issue.

The developers recommend that all users upgrade to version 1.6.16. Source code for the updated version is available for download and binary versions are in the process of being updated. The advisory also includes a patch for Subversion 1.5 users who are unable to upgrade.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit