Bug 1521

Summary: subversion security update
Product: Mageia Reporter: Jérôme Soyer <saispo>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, stewbintn, stormi-mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: subversion-1.6.16-5.mga1.src.rpm CVE:
Status comment:

Description Jérôme Soyer 2011-06-02 12:01:45 CEST 
Package        : subversion
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-1752 CVE-2011-1783 CVE-2011-1921

Several vulnerabilities were discovered in Subversion, the version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2011-1752

   The mod_dav_svn Apache HTTPD server module can be crashed though
   when asked to deliver baselined WebDAV resources.

CVE-2011-1783

   The mod_dav_svn Apache HTTPD server module can trigger a loop which
   consumes all available memory on the system.

CVE-2011-1921

   The mod_dav_svn Apache HTTPD server module may leak to remote users
   the file contents of files configured to be unreadable by those
   users.
Comment 1 Pascal Terjan 2011-06-07 11:30:22 CEST 
*** Bug 1642 has been marked as a duplicate of this bug. ***
Comment 2 Stew Benedict 2011-06-15 13:21:18 CEST 
cve.mitre.org links:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1921

Upstream has indicated that 1.6.17 corrects the issue, and Debian has released packages with 1.6.17. I am not finding any published POCs to test the issues.

Randomly picking this as our first "official" update candidate for mga1, to walk through the process.

CC: (none) => stewbintn

Comment 3 Stew Benedict 2011-06-15 14:10:36 CEST 
Still waking up I guess. This bug raises the question of how we handle for updates. Make a first exception and bump the version, or backport patches?

Debian released old versions for some releases, presumably patched, so there should be patches we can use:


For the oldstable distribution (lenny), this problem has been fixed in
version 1.5.1dfsg1-7.

For the stable distribution (squeeze), this problem has been fixed in
version 1.6.12dfsg-6.
Comment 4 Ahmad Samir 2011-06-15 17:56:56 CEST 
I think bump the version, mga1 is already at 1.6.16, so just one point release.

FWIW, subversion-1.6.17 has been in cauldron since 12th of June, on regressions AFAICS (i.e. I didn't see any, and no open reports in our bugzilla).
Comment 5 Nicolas Vigier 2011-06-28 01:11:02 CEST 
Package with patchs from debian for cve-2011-1752, cve-2011-1783, cve-2011-1921 submitted to updates_testing.

Status: NEW => ASSIGNED
CC: (none) => boklm
Assignee: bugsquad => qa-bugs

Comment 6 Ahmad Samir 2011-07-03 07:43:27 CEST 
From bug 1700, subversion-1.6.17 is already in 2010.1/2 main/updates, we'll have to update to that version to smooth upgrades.
Comment 7 Dave Hodgins 2011-07-07 02:20:46 CEST 
Regarding Comment 6, does that mean there is a further change coming, or should
testing proceed?

CC: (none) => davidwhodgins

Comment 8 Samuel Verschelde 2011-07-30 23:37:24 CEST 
Closing, because now things happen in bug #2239 (which was almost a duplicate but now is the one that gets the focus :))

*** This bug has been marked as a duplicate of bug 2239 ***

Status: ASSIGNED => RESOLVED
CC: (none) => stormi
Resolution: (none) => DUPLICATE

Nicolas Vigier 2014-05-08 18:05:18 CEST

CC: boklm => (none)