I think he meant "subversion-1.6.11", which is the default version for
CentOS 6.4.

On Mon, Aug 19, 2013 at 6:19 PM, Ben Reser <b...@reser.org> wrote:

> On 8/19/13 9:07 AM, Scott Frankel wrote:
> > I'm new to SVN server configuration and find myself setting up a CentOS
> 6.4 server with svn version 1.6.1, following the red-bean book.
>
> I'd strongly urge you not to use 1.6.1, see the list of applicable
> security issues here:
> http://subversion.apache.org/security/
>
> If you're using the CentOS packages they may have patched those issues
> without updating the svn version number.  You should check that though.
>
> If you're setting a new server I wouldn't start with 1.6.x but would go
> straight to 1.7.x or 1.8.x, probably 1.8.x if you can.
>
> > I'm having difficulty with authorization &/or authentication:  my repo
> appears to be accessible by anyone in spite of requiring "valid-user" and
> specifying digest authentication.  I believe this because 1) I can download
> a full working copy of the repo to a 3rd-party logged into a foreign
> computer, and 2) I have dozens of entries in apache's logfiles, like these
> from this morning, *prior* to any known/legitimate access to my repos today:
> >
> > svn_logfile:
> > [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity
>
> That does indeed look like access without a user.
>
> > access_log
> > 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET
> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
> >
> > error_log
> > [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not
> exist: /var/www/html/MyAdmin
>
> These however do not appear to be alarming at all.  Neither of them are
> under the /svn Location on your server where you have put the Require
> valid-user requirement.  They appear to me to be just normal probes run
> by someone looking for security holes.  This sort of thing is just going
> to be a normal part of running a server on the Internet.
>
> > <Location /svn>
> >   DAV svn
> >   SVNParentPath /var/svn
> >
> >   # Authentication: Digest
> >   AuthName "Subversion repository"
> >   AuthType Digest
> >   AuthUserFile /etc/svn-auth.htdigest
> >
> >   # Authorization: Authenticated users only
> >   Require valid-user
> > </Location>
>
> I'm not seeing anything wrong with this, so I'm not sure why you're
> having a problem.  You didn't mention it but I'm wondering what version
> of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on
> CentOS 6.4.
>
>

Reply via email to