Bug 1051362 (CVE-2017-9800)

Summary: VUL-0: CVE-2017-9800: subversion: client code execution via argument injection in SSH URL
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: jsegitz, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/189306/
Whiteboard: CVSSv3:SUSE:CVE-2017-9800:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:SUSE:CVE-2017-9800:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-9800:6.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Johannes Segitz 2017-08-02 15:47:42 UTC 
CRD: 2017-08-10
Comment 19 Marcus Meissner 2017-08-10 18:19:28 UTC 
is public no0w

I'm happy to announce the release of Apache Subversion 1.9.7.
Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download.cgi?update=201708081800#recommended-release

This is a stable security release of the Apache Subversion open source
version control system.  It fixes one security issue:

    CVE-2017-9800:
    Arbitrary code execution on clients through malicious svn+ssh URLs in
    svn:externals and svn:sync-from-url
    http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

The SHA1 checksums are:

    874b81749cdc3e88152d103243c3623ac6338388 subversion-1.9.7.tar.bz2
    1a5f48acf9d0faa60e8c7aea96a9b29ab1d4dcac subversion-1.9.7.tar.gz
    741727b62596bf27f75838c46d1bb6938c83fbd7 subversion-1.9.7.zip

SHA-512 checksums are available at:

    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.zip.sha512

PGP Signatures are available at:

    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.zip.asc

For this release, the following people have provided PGP signatures:

   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint:
    E7B2 A7F4 EC28 BE9F F8B3  8BA4 B64F FF12 09F9 FA74
   Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint:
    7B8C A7F6 451A D89C 8ADC  077B 376A 3CFD 110B 1C95
   Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint:
    E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
   Philip Martin [2048R/76D788E1ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C

Release notes for the 1.9.x release series may be found at:
    http://subversion.apache.org/docs/release-notes/1.9.html

You can find the list of changes between 1.9.7 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team
Comment 20 Bernhard Wiedemann 2017-08-10 20:00:52 UTC 
This is an autogenerated message for OBS integration:
This bug (1051362) was mentioned in
https://build.opensuse.org/request/show/515989 Factory / subversion
https://build.opensuse.org/request/show/515990 42.2+42.3 / subversion
Comment 21 Tomáš Chvátal 2017-08-11 09:14:59 UTC 
Was submitted.
Comment 22 Bernhard Wiedemann 2017-08-11 10:01:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1051362) was mentioned in
https://build.opensuse.org/request/show/516079 Factory / subversion
Comment 23 Swamp Workflow Management 2017-08-14 16:09:00 UTC 
SUSE-SU-2017:2163-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1011552,1051362
CVE References: CVE-2016-8734,CVE-2017-9800
Sources used:
SUSE Studio Onsite 1.3 (src):    subversion-1.6.17-1.36.9.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    subversion-1.6.17-1.36.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    subversion-1.6.17-1.36.9.1
Comment 24 Swamp Workflow Management 2017-08-16 22:09:34 UTC 
openSUSE-SU-2017:2183-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1026936,1049448,1051362
CVE References: CVE-2017-9800
Sources used:
openSUSE Leap 42.3 (src):    subversion-1.9.7-8.1
openSUSE Leap 42.2 (src):    subversion-1.9.7-5.3.1
Comment 25 Swamp Workflow Management 2017-08-17 10:10:50 UTC 
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938
CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    subversion-1.8.19-25.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    subversion-1.8.19-25.3.1
Comment 28 Marcus Meissner 2017-10-25 17:00:21 UTC 
released
Comment 29 Swamp Workflow Management 2019-08-19 15:10:15 UTC 
This is an autogenerated message for OBS integration:
This bug (1051362) was mentioned in
https://build.opensuse.org/request/show/724598 Factory / subversion