Subversion HTTP servers 1.5.0 to 1.6.16 (inclusive) are vulnerable to a remotely triggerable memory exhaustion DoS vulnerability. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server. This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested. Known vulnerable: ================= Subversion HTTPD servers >= 1.5.0 and <= 1.6.16 Known fixed: ============ Subversion 1.6.17 svnserve (any version) is not vulnerable Details: ======== Subversion Apache/mod_dav_svn servers may be configured to provide path-based access control for files and directories stored in the Subversion repository. One such configuration -- identified by the use of the SVNPathAuthz httpd.conf directive with a value of "short_circuit" -- instructs mod_dav_svn to directly query the authorization logic in libsvn_repos to answer access questions ("Does the user who is requesting information from this server have permission to read SOME-PATH in SOME-REVISION?") rather than employing Apache subrequests to do the same. With such a configuration in place, certain data sets and access rule combinations can trigger an infinite loop of logic that also allocates memory upon each iteration. Over time, all available system memory will be allocated by the logic loop. Severity: ========= A remote attacker may be able to deny access to a Subversion server by exhausting the available memory on the server. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.17. Users of Subversion 1.5.x or 1.6.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-1783 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN