{"id":"MGASA-2013-0360","summary":"Updated subversion package fixes security vulnerabilities","details":"mod_dontdothat allows you to block update REPORT requests against certain\npaths in the repository.  It expects the paths in the REPORT request to be\nabsolute URLs.  Serf based clients send relative URLs instead of absolute\nURLs in many cases.  As a result these clients are not blocked as\nconfigured by mod_dontdothat (CVE-2013-4505).\n\nWhen SVNAutoversioning is enabled via \"SVNAutoversioning on\", commits can\nbe made by single HTTP requests such as MKCOL and PUT.  If Subversion is\nbuilt with assertions enabled any such requests that have non-canonical\nURLs, such  as URLs with a trailing /, may trigger an assert.  An assert\nwill cause the Apache process to abort (CVE-2013-4558).\n","modified":"2026-02-01T16:16:53.120527Z","published":"2013-11-30T21:37:01Z","related":["CVE-2013-4505","CVE-2013-4558"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0360.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=11780"},{"type":"REPORT","url":"http://subversion.apache.org/security/CVE-2013-4505-advisory.txt"},{"type":"REPORT","url":"http://subversion.apache.org/security/CVE-2013-4558-advisory.txt"},{"type":"REPORT","url":"https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E"}],"affected":[{"package":{"name":"subversion","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/subversion?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.14-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0360.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}