Today appeared a new problem with one of my servers. After run a QuaysGuard Report, I found a security warning related with subversion tool.
When this server was installed, they included subversion software version 1.6. This version of subversion include some security bugs, like:
1. Subversion FSFS repositories can be corrupted due to improper file name validation.
2. Subversion releases up to 1.6.22 (inclusive), and 1.7.x tags up to 1.7.10 (inclusive, but excepting 1.7.x releases made from those tags), include a contrib/ script prone to shell injection by authenticated users, which could result in arbitrary code execution.
3. Denial of service vulnerability in Subversion's svnserve server process which can be triggered by terminating a incoming TCP connection before the connection process is completed.
The QualysGuard's Report suggest update subversion to 1.8. I looked for this software in Apache's web site and I found the answer:
yum update subversion
But finally Redhat guys don't want include this package in repositories for redhat 6 version. I don't know if Redhat 7 include the 1.8 version of subversion, but it's necessary this update for Redhat 6.
The only workaround that I found was remove this package because nobody needs use it in this server.
Please, Redhat include new versions of subversion for RHEL 6!!!
See you soon
Jesus Alberto Ruiz
No comments:
Post a Comment