Daniel Shahaf

**Name of the Vulnerable Software and Affected Versions** zsh versions prior to 5.6 **Description** An issue was discovered in zsh where shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For versions prior to 5.6, update to version 5.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of shebang lines exceeding 64 characters until a patch is available. Restrict access to sensitive data and systems to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Subversion versions 1.4.0 through 1.7.12 Apache Subversion versions 1.8.0 through 1.8.1 **Description** The issue allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option. **Recommendations** For Apache Subversion versions 1.4.0 through 1.7.12, update to a version outside of this range to mitigate the risk. For Apache Subversion versions 1.8.0 through 1.8.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the `--pid-file` option until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Subversion versions 1.7.0 through 1.7.10 Subversion versions 1.8.x before 1.8.1 **Description** The issue allows remote authenticated users to cause a denial of service, potentially resulting in an assertion failure or out-of-bounds read. This can be achieved by sending a certain request against a revision root, specifically via COPY, DELETE, or MOVE requests. **Recommendations** For Subversion versions 1.7.0 through 1.7.10, update to a version outside of this range to resolve the issue. For Subversion versions 1.8.x before 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod dav svn Apache HTTPD server module until a patch is available.