| Errata ID | 402 |
|---|---|
| Date | 2018-05-08 |
| Source package | subversion |
| Fixed in version | 1.8.10-6+deb8u5 |
| Description | This update addresses the following issues: * A maliciously constructed svn+ssh:// URL would cause Subversion to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. (CVE-2017-9800) * Subversion's mod_dontdothat module and HTTP clients are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory. (CVE-2016-8734) |
| Additional notes | |
| CVE ID | CVE-2017-9800 CVE-2016-8734 |
| UCS Bug number | #44776 #45233 |
