Bug 30274

Summary: subversion new security issues CVE-2021-28544 and CVE-2022-24070
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: subversion-1.14.1-1.1.mga8.src.rpm CVE: CVE-2021-28544, CVE-2022-24070
Status comment:

Description Nicolas Salguero 2022-04-12 16:01:42 CEST 
Apache has issued advisories on April 12:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt

The issues are fixed upstream in 1.14.2:
https://www.openwall.com/lists/oss-security/2022/04/12/2

Mageia 8 is also affected.
Nicolas Salguero 2022-04-12 16:02:57 CEST

Source RPM: (none) => subversion-1.14.1-1.1.mga8.src.rpm
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2021-28544, CVE-2022-24070

Comment 1 Nicolas Salguero 2022-04-12 16:32:03 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

SVN authz protected copyfrom paths regression. (CVE-2021-28544)

Subversion's mod_dav_svn is vulnerable to memory corruption. (CVE-2022-24070)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24070
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://www.openwall.com/lists/oss-security/2022/04/12/2
========================

Updated packages in core/updates_testing:
========================
apache-mod_dav_svn-1.14.2-1.mga8
lib(64)svn0-1.14.2-1.mga8
lib(64)svnjavahl1-1.14.2-1.mga8
lib(64)svn-gnome-keyring0-1.14.2-1.mga8
lib(64)svn-kwallet0-1.14.2-1.mga8
perl-SVN-1.14.2-1.mga8
python3-svn-1.14.2-1.mga8
subversion-server-1.14.2-1.mga8
subversion-tools-1.14.2-1.mga8
subversion-devel-1.14.2-1.mga8
subversion-1.14.2-1.mga8
subversion-doc-1.14.2-1.mga8
svn-javahl-1.14.2-1.mga8

from SRPM:
subversion-1.14.2-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 Dave Hodgins 2022-04-12 20:33:19 CEST 
Advisory committed to svn using the new version. Validating the update.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 David Walser 2022-04-12 22:52:38 CEST 
Ubuntu has issued an advisory for this today (April 12):
https://ubuntu.com/security/notices/USN-5372-1
Comment 4 Mageia Robot 2022-04-13 18:07:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0140.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED