CVE-2015-3184

Publication date 5 August 2015

Last updated 24 July 2024

Ubuntu priority

mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
subversion	15.04 vivid	Fixed 1.8.10-5ubuntu1.1
	14.04 LTS trusty	Fixed 1.8.8-1ubuntu3.2
	12.04 LTS precise	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

only an issue with httpd 2.4. Needs to be built against httpd updated with CVE-2015-3185 fix, and needs to be forced as the security update didn't update the API version

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2721-1
Subversion vulnerabilities
20 August 2015

Other references

http://svn.haxx.se/dev/archive-2015-08/0024.shtml
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
https://www.cve.org/CVERecord?id=CVE-2015-3184