On Sep 22, 2020, at 14:22, Vibin Bruno <vbruno...@gmail.com> wrote: > > Kindly help in resolving the below vulnerabilities
You may need to take a different approach when communicating with this list. We are a community of volunteers, users who use Subversion. We can try to help guide you toward solutions but we are not obligated to deliver answers on demand. > On Mon, Sep 21, 2020, 02:06 Vibin Bruno <vbruno...@gmail.com> wrote: > Hi Team, > > Our security team has raised below vulnerabilities in SVN. > > 1. Concurrent login allowed in SVN console - same user can login to the > console same time using two machines. Subversion does not have a console. Subversion consists of client programs and libraries, and server programs and modules. If your server is set up to require authentication, then each time you issue a command (checkout, update, commit, etc.) your credentials are sent to the server and verified. There is no persistent connection or login, so there is no such thing as logging in from multiple machines at the same time. Certainly a user can issue one command from one machine, and a moment later the user can issue another command from either the same machine or a different machine. The server does not care where the connections come from as long as the user credentials are verified. > 2. > Brute Force attack - user should be locked after 3 incorrect login attempts. There are several different ways that you can serve your repository (apache mod_dav_svn module, svnserve standalone, svnserve over ssh) and many different ways that authentication can be implemented. Some of the serving methods may give you a way to implement this, but it would be outside my area of expertise.
