RSS Feed
Latest Updates
Aug
14
Subversion Vulnerability in Serf
Posted by Phil Richardson on 14 August 2014 12:34 PM

The Apache Subversion team have recently published details of two vulnerabilities in the Serf RA layer.

Firstly, vulnerable versions of the Serf RA layer will accept certificates that it should not accept as matching the hostname the client is using to make the request. This is deemed a Medium risk vulnerability.

Additionally, affected versions of the Serf RA layer do not properly handle certificates with embedded NUL bytes in their Common Names or Subject Alternate Names. This is also deemed a Medium risk vulnerability.

Either of these issues, or a combination of both, could lead to a man-in-the-middle attack and allow viewing of encrypted data and unauthorised repository access.

A further vulnerability has also been identified in the way that Subversion indexes cached authentication credentials. An MD5 hash collision can be engineered such that cached credentials are leaked to a third party. This is deemed a Low risk vulnerability.

For more information on these issues please see the following links:
http://subversion.apache.org/security/CVE-2014-3522-advisory.txt
http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
https://groups.google.com/forum/#!msg/serf-dev/NvgPoK6sFsc/_TR7Buxtba0J

The ra_serf vulnerability affects Subversion versions 1.4.0-1.7.17 and 1.8.0-1.8.9. The Serf library vulnerability affects Serf versions 0.2.0 through 1.3.6 inclusive. Finally, the credentials vulnerability affects Subversion versions 1.0.0-1.7.17 and 1.8.0-1.8.9.

If you are using any of the vulnerable versions mentioned above we would urge you to upgrade to the latest release, either 1.8.10 or 1.7.18. Both are available on our website at https://www.wandisco.com/subversion/download.

We believe that the information contained above, including the links to the Apache. Org communications, should be all that you need to deal with these issues. However, should further queries arise, feel free to reach out to the support team and we'll do what we can to assist.


Read more »



Apr
11
OpenSSL Vulnerability – The Heartbleed Bug
Posted by Phil Richardson on 11 April 2014 03:58 PM
The OpenSSL team recently published a security advisory regarding the TLS heartbeat read overrun. This vulnerability allows up to 64k of memory to be read by a connected client or server in chunks and different chunks can be requested on each attack.

The vulnerability affects versions 1.0.1 and 1.0.2-beta of OpenSSL.

The WANdisco SVN binaries for Windows and Solaris available since 2011 have included OpenSSL libraries which are vulnerable. We’ve released updated versions with the patch as of today, so if you are still using one of these older versions please download the latest:

Windows: http://www.wandisco.com/subversion/download#windows

Solaris: http://www.wandisco.com/subversion/download#solaris

Users of our Subversion products (including SVN Multisite) on other operating systems will still need to ensure they’ve updated their OpenSSL package however there’s nothing vulnerable included with our binaries. We recommend all users of these operating systems update their version of OpenSSL to 1.0.1g as soon as possible or, if unable to update, recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

For more information on this vulnerability please see http://heartbleed.com/
Read more »



Aug
14
Ticket priority changes
Posted by Phil Richardson on 14 August 2013 10:26 PM

From today, when you raise a support request for any of the WANdisco products, you'll notice that the priority fields offered have changed. 

As our product suite grows its important that we make any changes necessary to make it easier for you to raise and escalate support requests, and for our support team to support you to the standard you expect. 

You'll now see up to five priority categories for your support ticket, depending on the product and your support agreement. You can see the breakdown of these, and a guide to help you choose the right level, in our KB article here. You'll also see a link to this when you raise a ticket.

We hope you'll find these changes helpful, and welcome your feedback, either in your ticket or in the satisfaction survey you'll receive when your ticket is closed.


Read more »



Jan
7
NEW - Customer feedback surveys
Posted by Mand Beckett on 07 January 2013 06:50 PM
Here at WANdisco we're very proud of our support team, and spend a lot of time making sure we hire the right people then give them the backing they need to provide top-quality service every single time.

However, we know that the best teams are the ones that are always looking for ways to improve, and the ones that listen to constructive feedback and act upon it.

As a result, we're about to introduce a very short customer feedback survey to get direct feedback in as near to real-time as possible. From today, when your ticket is closed you will receive a link to a survey asking a few multiple-choice questions about your experience contacting support.

The survey is not mandatory, but we would really appreciate your feedback so that we can continue improving and tailoring our service for you. It will only take a couple of minutes to complete, and we'll only use the data for staff training or to improve our support processes.
Read more »



Dec
14
Updated Support Site
Posted by Kevin Walke (WANdisco) on 14 December 2011 02:23 PM

Welcome to the updated WANdisco support site.

We've made a few changes and we hope you enjoy the new layout. While it does look a lot better most of the changes have happened behind the scenes and will help us improve how we support you.

Why not let us know what you think next time you submit a ticket? We would welcome your feedback.


Read more »




For SmartSVN support visit http://support.smartsvn.com

Copyright © 2005 - 2013 WANdisco, plc | Privacy | Terms | Trademarks