On Mon, Oct 22, 2012 at 9:47 AM, Stefan Sperling <s...@elego.de> wrote: > If he can reproduce this problem even with patches applied, please > ask him to report this as a new security issue with a reproduction > recipe included. Please see > http://subversion.apache.org/docs/community-guide/issues.html#security > for details on reporting security issues.
I'll pass that information along to him as soon as we're reasonably certain that it's an actual issue. As you say, there are still a few other things to check, especially inasmuch as the help desk technicians here at NGS are not particularly familiar with open-source software. > Are you sure the Subversion upgrade was done properly? I used Control Panel to uninstall the previous version, then I downloaded and unZIPped the most current version. Is there anythin I may have overlooked? > Maybe the server > is still using a vulnerable version of libsvn_delta by accident? How do I check for that? (I am unfamiliar with this software because I am not a developer. Please be patient with me... thanks.) > How are you testing for this vulnerability? Our security officer runs a scan remotely to locate risks. I am uncertain which tool(s) he uses for this purpose. If you think it may be pertinent, I can ask him. Are you thinking it might be a false positive? > As far as I know an exploit > was circulated privately among developers for testing purposes but was > never made public. Did you write a new exploit or do you happen to have > a repository data set that triggers the problem reliably? The NGS is a pretty small agency. I am uncertain as to the exact number of Subversion users here, but it's going to be very small -- it's even possible that my current customer is the only one. > Please do not post reproduction recipes for security issues to this > list -- it is publicly archived. Instead, feel free to continue this > conversation via channels documented at > http://subversion.apache.org/docs/community-guide/issues.html#security > if you have some sort of sensitive data to share with us. Thanks. Understood. -- Parrish S. Knight NGS Help Desk Lead 301-713-3254 x184 parrish.kni...@noaa.gov
