Bug 25230

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, smelror

Ubuntu and Debian have issued advisories for this on July 31 and August 1:
https://usn.ubuntu.com/4082-1/
https://www.debian.org/security/2019/dsa-4490

Severity: normal => major

Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

perl-SVN-1.9.12-1.mga6
perl-svn-devel-1.9.12-1.mga6
python-svn-1.9.12-1.mga6
python-svn-devel-1.9.12-1.mga6
ruby-svn-1.9.12-1.mga6
ruby-svn-devel-1.9.12-1.mga6
subversion-1.9.12-1.mga6
subversion-debuginfo-1.9.12-1.mga6
subversion-devel-1.9.12-1.mga6
subversion-doc-1.9.12-1.mga6
subversion-gnome-keyring-devel-1.9.12-1.mga6
subversion-server-1.9.12-1.mga6
subversion-tools-1.9.12-1.mga6
svn-javahl-1.9.12-1.mga6

from subversion-1.9.12-1.mga6.src.rpm

Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

apache-mod_dav_svn-1.10.6-1.mga7
lib64svn-gnome-keyring0-1.10.6-1.mga7
lib64svn0-1.10.6-1.mga7
lib64svnjavahl1-1.10.6-1.mga7
perl-SVN-1.10.6-1.mga7
perl-svn-devel-1.10.6-1.mga7
python2-svn-1.10.6-1.mga7
python2-svn-devel-1.10.6-1.mga7
ruby-svn-1.10.6-1.mga7
ruby-svn-devel-1.10.6-1.mga7
subversion-1.10.6-1.mga7
subversion-devel-1.10.6-1.mga7
subversion-doc-1.10.6-1.mga7
subversion-gnome-keyring-devel-1.10.6-1.mga7
subversion-server-1.10.6-1.mga7
subversion-tools-1.10.6-1.mga7
svn-javahl-1.10.6-1.mga7

from subversion-1.10.6-1.mga7.src.rpm

Installed and tested without issues.

Tested on existing, new, local and remote repositories.
Tested svnadmin's create, info, verify, lock, unlock.
Tested svn checkout, status, log, add, ls, mv, rm, commit, update, mkdir, info, cp.
Tested with normal work usage for several days.

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep 1.10.6-1 | sort
lib64svn0-1.10.6-1.mga7
subversion-1.10.6-1.mga7
subversion-tools-1.10.6-1.mga7

CC: (none) => mageia
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

MGA6-64 Plasma on Lenovo B50
No installation issues
Follwwing test described in bug10895 Comment 4 and config settings in bug14826 Comment 6 7 and 8
Test completed exactly as described.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

Thanks, guys. Validating. Advisory in Comment 3 and Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

@Stig-Ørjan: you dont need to write 2 advisories when the only difference is the srpms

Keywords: (none) => advisory
CC: (none) => tmb

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED