Debian has issued an advisory on June 9: http://www.debian.org/security/2013/dsa-2703 According to the upstream advisory, the issues are fixed in 1.7.10: http://subversion.apache.org/security/CVE-2013-2112-advisory.txt Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
1.7.10 uploaded for all.
CC: (none) => oe
This is also fixed with 1.7.10: http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
Summary: subversion new security issues fixed in 1.7.10 => subversion new security issues fixed in 1.7.10 (CVE-2013-1968, CVE-2013-2112)
Thanks Oden! Advisory: ======================== Updated subversion packages fix security vulnerabilities: Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository (CVE-2013-1968). Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server (CVE-2013-2112). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112 http://subversion.apache.org/security/CVE-2013-1968-advisory.txt http://subversion.apache.org/security/CVE-2013-2112-advisory.txt http://www.debian.org/security/2013/dsa-2703 ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.10-1.mga2 subversion-doc-1.7.10-1.mga2 libsvn0-1.7.10-1.mga2 libsvn-gnome-keyring0-1.7.10-1.mga2 libsvn-kwallet0-1.7.10-1.mga2 subversion-server-1.7.10-1.mga2 subversion-tools-1.7.10-1.mga2 python-svn-1.7.10-1.mga2 ruby-svn-1.7.10-1.mga2 libsvnjavahl1-1.7.10-1.mga2 svn-javahl-1.7.10-1.mga2 perl-SVN-1.7.10-1.mga2 subversion-kwallet-devel-1.7.10-1.mga2 subversion-gnome-keyring-devel-1.7.10-1.mga2 perl-svn-devel-1.7.10-1.mga2 python-svn-devel-1.7.10-1.mga2 ruby-svn-devel-1.7.10-1.mga2 subversion-devel-1.7.10-1.mga2 apache-mod_dav_svn-1.7.10-1.mga2 subversion-1.7.10-1.mga3 subversion-doc-1.7.10-1.mga3 libsvn0-1.7.10-1.mga3 libsvn-gnome-keyring0-1.7.10-1.mga3 libsvn-kwallet0-1.7.10-1.mga3 subversion-server-1.7.10-1.mga3 subversion-tools-1.7.10-1.mga3 python-svn-1.7.10-1.mga3 ruby-svn-1.7.10-1.mga3 libsvnjavahl1-1.7.10-1.mga3 svn-javahl-1.7.10-1.mga3 perl-SVN-1.7.10-1.mga3 subversion-kwallet-devel-1.7.10-1.mga3 subversion-gnome-keyring-devel-1.7.10-1.mga3 perl-svn-devel-1.7.10-1.mga3 python-svn-devel-1.7.10-1.mga3 ruby-svn-devel-1.7.10-1.mga3 subversion-devel-1.7.10-1.mga3 apache-mod_dav_svn-1.7.10-1.mga3 from SRPMS: subversion-1.7.10-1.mga2.src.rpm subversion-1.7.10-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
No poc, that I can find, so just testing using http://maverick.inria.fr/~Xavier.Decoret/resources/svn/ Testing Mageia 2 shortly i586 & x86_64.
CC: (none) => davidwhodginsWhiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete, Mageia 2 i586 and x86_64. In addition to http://maverick.inria.fr/~Xavier.Decoret/resources/svn/ also used https://bugs.mageia.org/show_bug.cgi?id=9624#c8 for testing the web interface.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK
Testing Mageia 3 shortly.
Note for future testers, In Mageia 3, /etc/httpd/modules.d/46_mod_dav_svn.conf as been renamed to /etc/httpd/conf/conf.d/subversion.conf
On Mageia 3, apache fails to start with ... httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/modules.d/10_mod_dav_svn.conf: Cannot load modules/mod_dav_svn.so into server: /etc/httpd/modules/mod_dav_svn.so: undefined symbol: dav_do_find_liveprop
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK feedback
Looks like apache-mod_dav_svn needs a requires on apache-mod_dav Once that's installed, it works ok. Testing complete on Mageia 3 i586 and x86_64. Would you like to add the requires, or should I open a new bug report for the missing requires, and go ahead with validating this update?
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK feedback => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK feedback
As this is a security update, Bug 10500 opened for the missing requires. Could someone from the sysadmin team push the srpm subversion-1.7.10-1.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates and the srpm subversion-1.7.10-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated subversion packages fix security vulnerabilities: Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository (CVE-2013-1968). Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server (CVE-2013-2112). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112 http://subversion.apache.org/security/CVE-2013-1968-advisory.txt http://subversion.apache.org/security/CVE-2013-2112-advisory.txt http://www.debian.org/security/2013/dsa-2703 https://bugs.mageia.org/show_bug.cgi?id=10479
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK feedback => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
subversion-1.7.10-1.1.mga3 is now available, fixing Bug 10500.
Keywords: validated_update => (none)Blocks: (none) => 10500
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK
SRPMS: subversion-1.7.10-1.mga2.src.rpm subversion-1.7.10-1.1.mga3.src.rpm
Retesting complete on Mageia 3 i586 and x86_64. Could someone from the sysadmin team push the srpm subversion-1.7.10-1.1.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates and the srpm subversion-1.7.10-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated subversion packages fix security vulnerabilities: Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository (CVE-2013-1968). Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server (CVE-2013-2112). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112 http://subversion.apache.org/security/CVE-2013-1968-advisory.txt http://subversion.apache.org/security/CVE-2013-2112-advisory.txt http://www.debian.org/security/2013/dsa-2703 https://bugs.mageia.org/show_bug.cgi?id=10479
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK
Oden, OpenSuSE has issued an advisory for an additional security issue affecting this. They said 1.7.10 is also affected, but they must have a patch. Can we fix this too? The issue is CVE-2013-2088. http://lists.opensuse.org/opensuse-updates/2013-06/msg00136.html http://lwn.net/Vulnerabilities/554423/
Oh, forgot to mention that. I can't see we ship those contrib scripts. http://subversion.apache.org/security/CVE-2013-2088-advisory.txt
You're right, so we don't need to worry about it. Thanks. Sorry for the noise.
Advisory ready to push
http://advisories.mageia.org/MGASA-2013-0175.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)