CVE-2014-8108

Name	CVE-2014-8108
Description	The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium
Debian Bugs	773315

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
subversion (PTS)	stretch	1.9.5-1+deb9u5	fixed
	stretch (security)	1.9.5-1+deb9u6	fixed
	buster, buster (security)	1.10.4-1+deb10u2	fixed
	bookworm, bullseye, sid	1.14.1-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
subversion	source	squeeze	(not affected)
subversion	source	wheezy	(not affected)
subversion	source	(unstable)	1.8.10-5	773315

Notes

[wheezy] - subversion <not-affected> (Introduced in 1.7.0)
[squeeze] - subversion <not-affected> (Introduced in 1.7.0)
http://subversion.apache.org/security/CVE-2014-8108-advisory.txt