www/security/CAN-2004-0749-advisory.txt - subversion - Git at Google


             mod_authz_svn fails to protect metadata

 Summary:
 =======

 mod_authz_svn, the Apache httpd module which does path-based
 authorization on Subversion repositories, is not correctly protecting
 all metadata on unreadable paths.

 This metadata leakage affects the mod_authz_svn module in all released
 versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2
 and -rc3 release candidates.  The leakage is fixed in the 1.0.8 and
 1.1-rc4 release, as well as the upcoming 1.1 final release.


 Details:
 =======

 If a Subversion commit affects paths that an administrator has marked
 "unreadable" using mod_authz_svn, then

    - "svn log -v" will list the existence of the unreadable paths;
    - "svn log -v" will show the commit's log message, which might be
                   considered sensitive metadata in some situations;
    - "svn propget" is also able to fetch the log message of any commit;
    - "svn blame" and other commands that follow renames are able to
                   acknowledge the existence of earlier versions of
                   files that exist at unreadable locations.

 Severity:
 ========

 Mild-to-medium severity, depending on your situation.

 This security issue is not about revealing the contents of protected
 files: it only reveals metadata about protected areas such as paths
 and log messages.  This may or may not be important to your
 organization, depending on how you're using path-based authorization,
 and the sensitivity of the metadata.

 (Exception: in the case of "svn blame", and only in svn 1.1-rc2 and
 -rc3, it's possible that older unreadable versions of a file are being
 transported from server to client; the contents aren't displayed, but
 the data is still traveling over the network.)

 These issues only affects users of mod_authz_svn, not people using
 native httpd.conf directives (such as <Limit> or <LimitExcept>)
 directives to limit general readability on whole repositories.


 Workarounds:
 ===========

 * Use mod_authz_svn to restrict writes only, not reads.

 * Break unreadable areas into separate repositories, and use native
   apache httpd.conf directives to make them unreadable.


 References:
 ==========

   CAN-2004-0749: mod_authz_svn fails to protect metadata

 Recommendation:
 ==============

 We recommend an upgrade to 1.0.8 or 1.1.0-rc4.

	mod_authz_svn fails to protect metadata

	Summary:
	=======

	mod_authz_svn, the Apache httpd module which does path-based
	authorization on Subversion repositories, is not correctly protecting
	all metadata on unreadable paths.

	This metadata leakage affects the mod_authz_svn module in all released
	versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2
	and -rc3 release candidates. The leakage is fixed in the 1.0.8 and
	1.1-rc4 release, as well as the upcoming 1.1 final release.


	Details:
	=======

	If a Subversion commit affects paths that an administrator has marked
	"unreadable" using mod_authz_svn, then

	- "svn log -v" will list the existence of the unreadable paths;
	- "svn log -v" will show the commit's log message, which might be
	considered sensitive metadata in some situations;
	- "svn propget" is also able to fetch the log message of any commit;
	- "svn blame" and other commands that follow renames are able to
	acknowledge the existence of earlier versions of
	files that exist at unreadable locations.

	Severity:
	========

	Mild-to-medium severity, depending on your situation.

	This security issue is not about revealing the contents of protected
	files: it only reveals metadata about protected areas such as paths
	and log messages. This may or may not be important to your
	organization, depending on how you're using path-based authorization,
	and the sensitivity of the metadata.

	(Exception: in the case of "svn blame", and only in svn 1.1-rc2 and
	-rc3, it's possible that older unreadable versions of a file are being
	transported from server to client; the contents aren't displayed, but
	the data is still traveling over the network.)

	These issues only affects users of mod_authz_svn, not people using
	native httpd.conf directives (such as <Limit> or <LimitExcept>)
	directives to limit general readability on whole repositories.


	Workarounds:
	===========

	* Use mod_authz_svn to restrict writes only, not reads.

	* Break unreadable areas into separate repositories, and use native
	apache httpd.conf directives to make them unreadable.


	References:
	==========

	CAN-2004-0749: mod_authz_svn fails to protect metadata

	Recommendation:
	==============

	We recommend an upgrade to 1.0.8 or 1.1.0-rc4.