Note from Vibin Bruno to your Facebook Page Subversion.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Note from Vibin Bruno to your Facebook Page Subversion.

Vibin Bruno
Hi Team,

Our security team has raised below vulnerabilities in SVN.

1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

2.
Brute Force attack - user should be locked after 3 incorrect login attempts.

Kindly help us in resolving the above vulnerabilities.

Regards,
Micheal
8655557405
Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Vibin Bruno
Kindly help in resolving the below vulnerabilities

On Mon, Sep 21, 2020, 02:06 Vibin Bruno <[hidden email]> wrote:
Hi Team,

Our security team has raised below vulnerabilities in SVN.

1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

2.
Brute Force attack - user should be locked after 3 incorrect login attempts.

Kindly help us in resolving the above vulnerabilities.

Regards,
Micheal
8655557405
Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Chris Carman
Kindly stop spamming this list.

Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Ryan Schmidt-13
In reply to this post by Vibin Bruno
On Sep 22, 2020, at 14:22, Vibin Bruno <[hidden email]> wrote:
>
> Kindly help in resolving the below vulnerabilities

You may need to take a different approach when communicating with this list. We are a community of volunteers, users who use Subversion. We can try to help guide you toward solutions but we are not obligated to deliver answers on demand.


> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <[hidden email]> wrote:
> Hi Team,
>
> Our security team has raised below vulnerabilities in SVN.
>
> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

Subversion does not have a console. Subversion consists of client programs and libraries, and server programs and modules. If your server is set up to require authentication, then each time you issue a command (checkout, update, commit, etc.) your credentials are sent to the server and verified. There is no persistent connection or login, so there is no such thing as logging in from multiple machines at the same time. Certainly a user can issue one command from one machine, and a moment later the user can issue another command from either the same machine or a different machine. The server does not care where the connections come from as long as the user credentials are verified.


> 2.
> Brute Force attack - user should be locked after 3 incorrect login attempts.


There are several different ways that you can serve your repository (apache mod_dav_svn module, svnserve standalone, svnserve over ssh) and many different ways that authentication can be implemented. Some of the serving methods may give you a way to implement this, but it would be outside my area of expertise.

Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Mark Phippard-3
In reply to this post by Vibin Bruno
On Sun, Sep 20, 2020 at 4:44 PM Vibin Bruno <[hidden email]> wrote:
Hi Team,

Our security team has raised below vulnerabilities in SVN.

1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

2. Brute Force attack - user should be locked after 3 incorrect login attempts.

Kindly help us in resolving the above vulnerabilities.


This is not the correct list to report these "problems".

SVN does not have a web user interface or console, so you are likely using some other SVN management product and need to report this there. That said, I would say both of these are more opinion and taste than vulnerabilities.  I manage a SVN related product called SVN Edge and I would not consider "fixing" either of these issues if that is the product you are using. The first one is just straight up not a problem and I would never entertain it as one.   The second one is somewhat a problem though "3" is an arbitrary number and there are a lot of ways to deal with brute force login attempts. For example, SVN Edge throttles the login attempts making it impractical to brute force attack a password.

--
Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Paul Greene
In reply to this post by Vibin Bruno
I'm going to guess that you do certification and accreditation, and somebody evaluating your system presented you with a list of findings that have to be addressed.
Typically with a commercial vendor, you can communicate with a technical support team (that you pay a lot of money to every year to get that support) that can help you address the findings.
However, SVN is not a commercial product - it is an open source product - the product is developed by unpaid volunteers. This mailing list is made up of people that are fellow users of the product who don't get paid for participating in this list.
You can't really demand that anybody do anything for you.

On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <[hidden email]> wrote:
Kindly help in resolving the below vulnerabilities

On Mon, Sep 21, 2020, 02:06 Vibin Bruno <[hidden email]> wrote:
Hi Team,

Our security team has raised below vulnerabilities in SVN.

1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

2.
Brute Force attack - user should be locked after 3 incorrect login attempts.

Kindly help us in resolving the above vulnerabilities.

Regards,
Micheal
8655557405
Reply | Threaded
Open this post in threaded view
|

Re: Note from Vibin Bruno to your Facebook Page Subversion.

Nico Kadel-Garcia-2
In reply to this post by Vibin Bruno
On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno <[hidden email]> wrote:

>
> Kindly help in resolving the below vulnerabilities
>
> On Mon, Sep 21, 2020, 02:06 Vibin Bruno <[hidden email]> wrote:
>>
>> Hi Team,
>>
>> Our security team has raised below vulnerabilities in SVN.
>>
>> 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines.

This is not a vulnerability. It's a feature. Sessions using SSH keys
or credentials may be automated for continuous integration systems to
simultaneously permit dozens or hundreds of simultaneous sessions.
It's not a Subversion problem per se, it's built into the transport
mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or
the httpd daemon for mod_svn access. It's not built for
single-threaded operation, though I suppose with httpd you could set
it up that way.

>> 2.
>> Brute Force attack - user should be locked after 3 incorrect login attempts.

That's a back end authentication, typically built into the Kerberos
based authentication of tools like Active Directory or other LDAP and
Kerberos systems, not a Subversion issue which httpd and svnserve and
SSH access can use. I suggest that you find whoever is telling you to
resolve these issues and enroll them in some courses on how password
based authentication normally works.

>> Kindly help us in resolving the above vulnerabilities.

These are not Subversion issues. They are authentication back end
issues, most of them easily configured for a desired policy. Who is
calling these "vulnerabilities"? It's like saying that having a window
that opens is a vulnerability, it's how the systems normally work.

Nico Kadel-Garcia

>>
>> Regards,
>> Micheal
>> 8655557405