Bug 28348

Advisory
========

Subversion has been updated to fix a remote unauthenticated denial-of-service in Subversion mod_authz_svn.

References
==========
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

Files
=====

Uploaded to core/updates_testing

subversion-1.10.7-1.mga7
subversion-doc-1.10.7-1.mga7
lib64svn0-1.10.7-1.mga7
lib64svn-gnome-keyring0-1.10.7-1.mga7
subversion-server-1.10.7-1.mga7
subversion-tools-1.10.7-1.mga7
python2-svn-1.10.7-1.mga7
ruby-svn-1.10.7-1.mga7
lib64svnjavahl1-1.10.7-1.mga7
svn-javahl-1.10.7-1.mga7
perl-SVN-1.10.7-1.mga7
subversion-gnome-keyring-devel-1.10.7-1.mga7
perl-svn-devel-1.10.7-1.mga7
python2-svn-devel-1.10.7-1.mga7
ruby-svn-devel-1.10.7-1.mga7
subversion-devel-1.10.7-1.mga7
apache-mod_dav_svn-1.10.7-1.mga7

from subversion-1.10.7-1.mga7.src.rpm

Assignee: smelror => qa-bugs

1.14.1 needs to be pushed in mga8.

Whiteboard: (none) => MGA7TOO, MGA8TOO
Version: 7 => Cauldron
Assignee: qa-bugs => smelror

I've sent a Freeze push request to @dev.

RedHat has issued an advisory for this on February 15:
https://access.redhat.com/errata/RHSA-2021:0507

Summary: Subversion security issue CVE-2020-17525 => subversion new security issue CVE-2020-17525
Severity: normal => critical
Status comment: (none) => Fixed upstream in 1.10.7 and 1.14.1

Fixed in Cauldron and awaiting validation for mga7.

Whiteboard: MGA7TOO, MGA8TOO => (none)
Assignee: smelror => qa-bugs

MGA7-64 MATE on PeaqC1011
No installation issues
Following Dave's lead fom bug 10895, I run into problems:
$ cd Documents/
$ svnadmin create --fs-type fsfs /home/tester7/Documents/svn
$ mkdir project
$ cd project/
$ mkdir bin
$ mkdir src
$  mkdir doc
$ echo test>doc/index.html
$ echo stuff>src/Makefile
$ svn import /home/tester7/Documents/project/ file:///home/tester7/Documents/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found

I cann't imagine I would have to set these manually????

CC: (none) => herman.viaene

It seems that no one of SVN_EDITOR, VISUAL or EDITOR variables have been set for this user account.
These are not set by default.
So, I think you must set them beforehand.

CC: (none) => ouaurelien

Well, I've not seen these noticed on the previous updates. I'm pretty sure i would have noted it when such thing was needed, and I trust Dave would have done the same.
I noticed that - comparing the notes with the actual config files in /etc, that there are some changs to the subversion configs.
But anyway, in the years I have been testing updates before, I've never came across this situation. And I don't like it a bit.

svn has always done that

Debian has issued an advisory for this on February 13:
https://www.debian.org/security/2021/dsa-4851

I've long had ...
$ env|grep EDIT
EDITOR=/usr/bin/mcedit
for reasons other then svn, so hadn't noticed that it was needed.

Tested by adding/committing the advisory to svn for this bug report ...
[dave@x3 advisories]$ mgaadv new security 28348 subversion

[dave@x3 advisories]$ svn add 28348.adv 
A         28348.adv
[dave@x3 advisories]$ svn ci -m 'Adding security advisory for subversion mga#28348'
Adding         28348.adv
Transmitting file data .done
Committing transaction...
Committed revision 11385.

Mageia 7 x86_64 ok, validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0091.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED