Re: Note from Vibin Bruno to your Facebook Page Subversion.
On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno wrote: > > Kindly help in resolving the below vulnerabilities > > On Mon, Sep 21, 2020, 02:06 Vibin Bruno wrote: >> >> Hi Team, >> >> Our security team has raised below vulnerabilities in SVN. >> >> 1. Concurrent login allowed in SVN console - same user can login to the >> console same time using two machines. This is not a vulnerability. It's a feature. Sessions using SSH keys or credentials may be automated for continuous integration systems to simultaneously permit dozens or hundreds of simultaneous sessions. It's not a Subversion problem per se, it's built into the transport mechanisms such as SSH sessions for svn+ssh, the svnserve daemon, or the httpd daemon for mod_svn access. It's not built for single-threaded operation, though I suppose with httpd you could set it up that way. >> 2. >> Brute Force attack - user should be locked after 3 incorrect login attempts. That's a back end authentication, typically built into the Kerberos based authentication of tools like Active Directory or other LDAP and Kerberos systems, not a Subversion issue which httpd and svnserve and SSH access can use. I suggest that you find whoever is telling you to resolve these issues and enroll them in some courses on how password based authentication normally works. >> Kindly help us in resolving the above vulnerabilities. These are not Subversion issues. They are authentication back end issues, most of them easily configured for a desired policy. Who is calling these "vulnerabilities"? It's like saying that having a window that opens is a vulnerability, it's how the systems normally work. Nico Kadel-Garcia >> >> Regards, >> Micheal >> 867405
Re: Note from Vibin Bruno to your Facebook Page Subversion.
I'm going to guess that you do certification and accreditation, and somebody evaluating your system presented you with a list of findings that have to be addressed. Typically with a commercial vendor, you can communicate with a technical support team (that you pay a lot of money to every year to get that support) that can help you address the findings. However, SVN is not a commercial product - it is an open source product - the product is developed by unpaid volunteers. This mailing list is made up of people that are fellow users of the product who don't get paid for participating in this list. You can't really demand that anybody do anything for you. On Tue, Sep 22, 2020 at 4:09 PM Vibin Bruno wrote: > Kindly help in resolving the below vulnerabilities > > On Mon, Sep 21, 2020, 02:06 Vibin Bruno wrote: > >> Hi Team, >> >> Our security team has raised below vulnerabilities in SVN. >> >> 1. Concurrent login allowed in SVN console - same user can login to the >> console same time using two machines. >> >> 2. >> Brute Force attack - user should be locked after 3 incorrect login >> attempts. >> >> Kindly help us in resolving the above vulnerabilities. >> >> Regards, >> Micheal >> 867405 >> >
Re: Note from Vibin Bruno to your Facebook Page Subversion.
On Sun, Sep 20, 2020 at 4:44 PM Vibin Bruno wrote: > Hi Team, > > Our security team has raised below vulnerabilities in SVN. > > 1. Concurrent login allowed in SVN console - same user can login to the > console same time using two machines. > > 2. Brute Force attack - user should be locked after 3 incorrect login > attempts. > > Kindly help us in resolving the above vulnerabilities. > This is not the correct list to report these "problems". SVN does not have a web user interface or console, so you are likely using some other SVN management product and need to report this there. That said, I would say both of these are more opinion and taste than vulnerabilities. I manage a SVN related product called SVN Edge and I would not consider "fixing" either of these issues if that is the product you are using. The first one is just straight up not a problem and I would never entertain it as one. The second one is somewhat a problem though "3" is an arbitrary number and there are a lot of ways to deal with brute force login attempts. For example, SVN Edge throttles the login attempts making it impractical to brute force attack a password. -- Thanks Mark Phippard http://markphip.blogspot.com/
Re: Note from Vibin Bruno to your Facebook Page Subversion.
On Sep 22, 2020, at 14:22, Vibin Bruno wrote: > > Kindly help in resolving the below vulnerabilities You may need to take a different approach when communicating with this list. We are a community of volunteers, users who use Subversion. We can try to help guide you toward solutions but we are not obligated to deliver answers on demand. > On Mon, Sep 21, 2020, 02:06 Vibin Bruno wrote: > Hi Team, > > Our security team has raised below vulnerabilities in SVN. > > 1. Concurrent login allowed in SVN console - same user can login to the > console same time using two machines. Subversion does not have a console. Subversion consists of client programs and libraries, and server programs and modules. If your server is set up to require authentication, then each time you issue a command (checkout, update, commit, etc.) your credentials are sent to the server and verified. There is no persistent connection or login, so there is no such thing as logging in from multiple machines at the same time. Certainly a user can issue one command from one machine, and a moment later the user can issue another command from either the same machine or a different machine. The server does not care where the connections come from as long as the user credentials are verified. > 2. > Brute Force attack - user should be locked after 3 incorrect login attempts. There are several different ways that you can serve your repository (apache mod_dav_svn module, svnserve standalone, svnserve over ssh) and many different ways that authentication can be implemented. Some of the serving methods may give you a way to implement this, but it would be outside my area of expertise.
Re: Note from Vibin Bruno to your Facebook Page Subversion.
Kindly stop spamming this list.
Re: Note from Vibin Bruno to your Facebook Page Subversion.
Kindly help in resolving the below vulnerabilities On Mon, Sep 21, 2020, 02:06 Vibin Bruno wrote: > Hi Team, > > Our security team has raised below vulnerabilities in SVN. > > 1. Concurrent login allowed in SVN console - same user can login to the > console same time using two machines. > > 2. > Brute Force attack - user should be locked after 3 incorrect login > attempts. > > Kindly help us in resolving the above vulnerabilities. > > Regards, > Micheal > 867405 >
Note from Vibin Bruno to your Facebook Page Subversion.
Hi Team, Our security team has raised below vulnerabilities in SVN. 1. Concurrent login allowed in SVN console - same user can login to the console same time using two machines. 2. Brute Force attack - user should be locked after 3 incorrect login attempts. Kindly help us in resolving the above vulnerabilities. Regards, Micheal 867405
