Your submission was sent successfully! Close

CVE-2018-11803

Published: 18 January 2019

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.

Notes

AuthorNote
leosilva
as mentioned in the description, code was introduced in 1.10
trusty, xenial, bionic and precise/esm are not affected.
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
subversion
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic
Released (1.10.0-2ubuntu2.1)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(1.13.0-3ubuntu0.1)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Not vulnerable

jammy Not vulnerable

precise Not vulnerable
(code not present)
trusty Does not exist
(trusty was not-affected [code not present])
upstream
Released (1.10.4,1.11.1)
xenial Not vulnerable
(code not present)
Patches:
upstream: http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_dav_svn/reports/list.c?r1=1850621&r2=1850620&pathrev=1850621&view=patch