The Apache Software Foundation provides a framework and team of folks for handling reports of security vulnerabilities. If you discover a security vulnerability in Apache Subversion, please follow the instructions found here:
To learn more about how the Subversion development team treats discovered and reported security vulnerabilities, please visit the Security section of the Community Guide.
The following are a list of past security advisories issued by the Subversion project.
| Document | Affected Version(s) | Description |
|---|---|---|
| svn-sscanf-advisory.txt | 1.0.0-1.0.2 | Date parser buffer overflow. |
| CAN-2004-0413-advisory.txt | 1.0.0-1.0.4 | Denial of Service and Heap Overflow issue related to string parsing in svnserve |
| mod_authz_svn-copy-advisory.txt | 1.0.0-1.0.5 | mod_authz_svn exposure of unreadable paths via deep copy to readable location. |
| CAN-2004-0749-advisory.txt | 1.0.0-1.0.7, 1.1.0-rcX | Revision metadata leakage in mod_dav_svn. |
| CVE-2007-2448-advisory.txt | 1.0.1-1.4.3 | Revision metadata leakage via 'svn prop*' commands. |
| CVE-2007-3846-advisory.txt | 1.0.0-1.4.4 | Remote file delivery and installation via path mis-handling. |
| CVE-2009-2411-advisory.txt | 1.0.0-1.6.3 | Heap Overflow in binary delta parser. |
| CVE-2010-3315-advisory.txt | 1.5.0-1.5.7, 1.6.0-1.6.12 | mod_dav_svn exposure of unreadable paths when SVNPathAuthz "short_circuit" is employed. |
| CVE-2010-4539 | 1.0.0-1.5.8, 1.6.0-1.6.13 | mod_dav_svn potential crash when using SVNParentPath |
| CVE-2010-4644 | 1.5.0-1.5.8, 1.6.0-1.6.13 | Server out-of-memory error caused by 'blame -g' |
| CVE-2011-0715-advisory.txt | 1.2.0-1.5.9, 1.6.0-1.6.15 | Server NULL-pointer dereference |
| CVE-2011-1752-advisory.txt | 1.0.0-1.6.16 | Server NULL-pointer dereference |
| CVE-2011-1783-advisory.txt | 1.5.0-1.6.16 | Server memory exhaustion |
| CVE-2011-1921-advisory.txt | 1.5.0-1.6.16 | mod_dav_svn exposure of unreadable paths |