On Mon, Oct 22, 2012 at 09:55:33AM -0400, Parrish Knight wrote: > > Are you sure the Subversion upgrade was done properly? > > I used Control Panel to uninstall the previous version, then I > downloaded and unZIPped the most current version. Is there anythin I > may have overlooked?
That sounds fine. Maybe windows also needs a reboot to pick up newly installed Subversion libraries, but maybe it doesn't (I'm not a Windows expert). > > Maybe the server > > is still using a vulnerable version of libsvn_delta by accident? > > How do I check for that? (I am unfamiliar with this software because > I am not a developer. Please be patient with me... thanks.) You could check if you can still see a libsvn_delta-1.dll (or similarly named file) left over from the old installation. > > How are you testing for this vulnerability? > > Our security officer runs a scan remotely to locate risks. I am > uncertain which tool(s) he uses for this purpose. If you think it may > be pertinent, I can ask him. Are you thinking it might be a false > positive? Yes, that's possible and probably the first thing to check next. What is this scan actually doing and trying to detect? Just to make sure I got this right: You're not scanning a Subversion server machine, but a Subversion client machine (a laptop), correct? To detect the exploit in question it would have to try to remotely crash the Subversion client or server using an exploit tailored towards this specific vulnerability, crafting a custom svndiff data stream which triggers a crash, and then somehow detect remotely whether the client or server crashed because of this exploit. I doubt a general-purpose scanning tool would have such sophisticated exploit-specific checks built-in. So in this case I'd start out assuming a false positive unless the opposite is proven.
