users@glassfish.java.net

java.net Required Outage - Thursday September 10, starting at 9am PST [GMT-7:00]

From: Eric Renaud <erenaud_at_collab.net>
Date: Wed, 09 Sep 2009 22:54:58 -0700

Hello,

This is to announce a Planned Outage that will occur to java.net:

CollabNet will be patching your site Thursday September 10, starting at
9am PST [GMT-7:00], to close a vulnerability in Subversion. There will
be a short service disruption no longer than 10 minutes.

For more information on the vulnerability please see the advisory below.
The advisory itself is generic to the Subversion product not specific to
your hosted CollabNet site.

We have detected no exploits on our systems via this vulnerability.

Please be aware CollabNet reserves the right, via our hosting contract,
to implement security fixes as soon as necessary. We strive to keep our
systems as secure as possible and hope this is not a great inconvenience.

If you have questions or feedback, please contact CollabNet Support.

Thank you.

CollabNet Support Team
http://www.collab.net/support
(800) 211-3047 | +1 (650) 228-2561

============================
============================
Advisory
============================

Subversion clients and servers up to 1.6.3 (inclusive) have heap
overflow issues in the parsing of binary deltas.

Summary:
========

Subversion clients and servers have multiple heap overflow issues in the
parsing of binary deltas. This is related to an allocation vulnerability
in the APR library used by Subversion.

Clients with commit access to a vulnerable server can cause a remote
heap overflow; servers can cause a heap overflow on vulnerable clients
that try to do a checkout or update.

This can lead to a DoS (an exploit has been tested) and to arbitrary
code execution (no exploit tested, but the possibility is clear).

Known vulnerable:
=================

Subversion clients and servers <= 1.5.6.
Subversion clients and servers 1.6.0 through 1.6.3 (inclusive).

Known fixed:
============

Subversion 1.6.4
Subversion 1.5.7

(Search for "Patch" below to see the patches from 1.6.3 -> 1.6.4 and
1.5.6 -> 1.5.7. Search for "Recommendations" to get URLs for the 1.6.4
release and associated APR library patch.)

Details:
========

The libsvn_delta library does not contain sufficient input validation of
svndiff streams. If a stream with large windows is processed, one of
several integer overflows may lead to some boundary checks incorrectly
passing, which in turn can lead to a heap overflow.

Severity:
=========

A remote attacker with commit access to repository may be able to
execute code on a Subversion server. A malicious server may be able to
execute code on a Subversion client.

Recommendations:
================

We recommend all users to upgrade to Subversion 1.6.4.

We recommend all users to upgrade to the latest versions of APR and
APR-UTIL, or apply the CVE-2009-2412 patch appropriate to their APR
installation from <http://www.apache.org/dist/apr/patches/>.

New Subversion packages can be found at:
http://subversion.tigris.org/project_packages.html.

References:
===========

CVE-2009-2411 (Subversion)
CVE-2009-2412 (APR)

Reported by:
============

Matt Lewis, Google.


Please plan your work on the java.net site accordingly and excuse the
interruption.

Thank you,

java.net Support