![[S]](/images/svn-square.jpg)
Read the official Subversion documentation online!
Copyright © 2011 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache, Apache Subversion, and the Apache feather logo are trademarks of The Apache Software Foundation. Subversion and the Apache Subversion logo are registered trademarks of The Apache Software Foundation.
The Apache Software Foundation provides a framework and team of folks for handling reports of security vulnerabilities. If you discover a security vulnerability in Apache Subversion, please follow the instructions found here:
The Subversion development community takes security very seriously. One way we demonstrate this is by not pretending to be cryptography or security experts. Rather than writing a bunch of proprietary security mechanisms for Subversion, we prefer instead to teach Subversion to interoperate with security libraries and protocols provided by those with knowledge of that space. For example, Subversion defers wire encryption to the likes of OpenSSL. It defers authentication and basic authorization to those mechanisms provided by Cyrus SASL or by the Apache HTTP Server and its rich collection of modules. To the degree that we can leverage the knowledge of security experts by using the third-party libraries and APIs they provide, we will continue to do so.
The following are a list of past security advisories issued by the Subversion project.
| Document | Affected Version(s) | Description |
|---|---|---|
| svn-sscanf-advisory.txt | 1.0.0-1.0.2 | Date parser buffer overflow. |
| CAN-2004-0413-advisory.txt | 1.0.0-1.0.4 | Denial of Service and Heap Overflow issue related to string parsing in svnserve |
| mod_authz_svn-copy-advisory.txt | 1.0.0-1.0.5 | mod_authz_svn exposure of unreadable paths via deep copy to readable location. |
| CAN-2004-0749-advisory.txt | 1.0.0-1.0.7, 1.1.0-rcX | Revision metadata leakage in mod_dav_svn. |
| CVE-2007-2448-advisory.txt | 1.0.1-1.4.3 | Revision metadata leakage via 'svn prop*' commands. |
| CVE-2007-3846-advisory.txt | 1.0.0-1.4.4 | Remote file delivery and installation via path mis-handling. |
| CVE-2009-2411-advisory.txt | 1.0.0-1.6.3 | Heap Overflow in binary delta parser. |
| CVE-2010-3315-advisory.txt | 1.5.0-1.5.7, 1.6.0-1.6.12 | mod_dav_svn exposure of unreadable paths when SVNPathAuthz "short_circuit" is employed. |
| CVE-2010-4539 | 1.0.0-1.5.8, 1.6.0-1.6.13 | mod_dav_svn potential crash when using SVNParentPath |
| CVE-2010-4644 | 1.5.0-1.5.8, 1.6.0-1.6.13 | Server out-of-memory error caused by 'blame -g' |
| CVE-2011-0715-advisory.txt | 1.2.0-1.5.9, 1.6.0-1.6.15 | Server NULL-pointer dereference |
| CVE-2011-1752-advisory.txt | 1.0.0-1.6.16 | Server NULL-pointer dereference |
| CVE-2011-1783-advisory.txt | 1.5.0-1.6.16 | Server memory exhaustion |
| CVE-2011-1921-advisory.txt | 1.5.0-1.6.16 | mod_dav_svn exposure of unreadable paths |