Bug 15619

Updated packages uploaded for Mageia 4 and Cauldron.

Full advisory to come later.  For now, see the upstream references in Comment 0.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14826#c2

Updated packages in core/updates_testing:
========================
subversion-1.8.13-1.mga4
subversion-doc-1.8.13-1.mga4
libsvn0-1.8.13-1.mga4
libsvn-gnome-keyring0-1.8.13-1.mga4
libsvn-kwallet0-1.8.13-1.mga4
subversion-server-1.8.13-1.mga4
subversion-tools-1.8.13-1.mga4
python-svn-1.8.13-1.mga4
ruby-svn-1.8.13-1.mga4
libsvnjavahl1-1.8.13-1.mga4
svn-javahl-1.8.13-1.mga4
perl-SVN-1.8.13-1.mga4
subversion-kwallet-devel-1.8.13-1.mga4
subversion-gnome-keyring-devel-1.8.13-1.mga4
perl-svn-devel-1.8.13-1.mga4
python-svn-devel-1.8.13-1.mga4
ruby-svn-devel-1.8.13-1.mga4
subversion-devel-1.8.13-1.mga4
apache-mod_dav_svn-1.8.13-1.mga4

from subversion-1.8.13-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion HTTP servers with FSFS repositories are vulnerable to a remotely
triggerable excessive memory use with certain REPORT requests (CVE-2015-0202).

Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable
assertion DoS vulnerability for certain requests with dynamically evaluated
revision numbers (CVE-2015-0248).

Subversion HTTP servers allow spoofing svn:author property values for new
revisions (CVE-2015-0251).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0251
http://subversion.apache.org/security/CVE-2015-0202-advisory.txt
http://subversion.apache.org/security/CVE-2015-0248-advisory.txt
http://subversion.apache.org/security/CVE-2015-0251-advisory.txt

Looking at this x64.
While I have the info, this link:
 http://maverick.inria.fr/~Xavier.Decoret/resources/svn/index.html
looks like a good tutorial about SVN to help understand it & test it basically.

CC: (none) => lewyssmith

Please see the prior linked testing procedure.  I can already confirm that regular svn works fine.  It's mod_dav_svn that needs to be tested.

Testing complete mga4 64

Tested generally when uploading advisories. Ensured svnserve service starts ok.

Tested apache-mod_dav_svn specifically..
Created a basic svn repository to test with

$ svnadmin create --fs-type fsfs /home/$USER/svn
$ svn mkdir file:///home/$USER/svn/foo -m "created dumb directory"

Committed revision 1.
$ svn ls file:///home/$USER/svn
foo/

Edited the apache-mod_dav_svn conf file..
# nano /etc/httpd/conf/conf.d/subversion.conf

# cat /etc/httpd/conf/conf.d/subversion.conf
<IfModule mod_dav_svn.c>

    <Location /svn/repos>
       DAV svn
       SVNPath /home/claire/svn
    #
    #   # Limit write permission to list of valid users.
    #   <LimitExcept GET PROPFIND OPTIONS REPORT>
    #      # Require SSL connection for password protection.
    #      # SSLRequireSSL
    #
    #      AuthType Basic
    #      AuthName "Authorization Realm"
    #      AuthUserFile /path/to/passwdfile
    #      AuthzSVNAccessFile /path/to/access/file
    #      Require valid-user
    #   </LimitExcept>
    </Location>

</IfModule>


Restart httpd..
# systemctl restart httpd.service 

Browse to http://localhost/svn/repos/ and see..
repos - Revision 1: /

    foo/

Whiteboard: has_procedure => has_procedure mga4-64-ok

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0177.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED