Upstream has released version 1.7.14 and 1.8.5, fixing two security issues: https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FEB.1070508@apache.org%3E Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
subversion-1.7.14-1.mga3 has been submitted. someone has to submit subversion-1.8.5 in cauldron.
CC: (none) => oe
Thanks Oden! I sent a freeze push request for Cauldron.
Blocks: (none) => 11726
Still waiting for the freeze push in Cauldron. Packages uploaded for Mageia 3 updates_testing: subversion-1.7.14-1.mga3 subversion-doc-1.7.14-1.mga3 libsvn0-1.7.14-1.mga3 libsvn-gnome-keyring0-1.7.14-1.mga3 libsvn-kwallet0-1.7.14-1.mga3 subversion-server-1.7.14-1.mga3 subversion-tools-1.7.14-1.mga3 python-svn-1.7.14-1.mga3 ruby-svn-1.7.14-1.mga3 libsvnjavahl1-1.7.14-1.mga3 svn-javahl-1.7.14-1.mga3 perl-SVN-1.7.14-1.mga3 subversion-kwallet-devel-1.7.14-1.mga3 subversion-gnome-keyring-devel-1.7.14-1.mga3 perl-svn-devel-1.7.14-1.mga3 python-svn-devel-1.7.14-1.mga3 ruby-svn-devel-1.7.14-1.mga3 subversion-devel-1.7.14-1.mga3 apache-mod_dav_svn-1.7.14-1.mga3 from subversion-1.7.14-1.mga3.src.rpm
subversion-1.8.5-1.mga4 uploaded for Cauldron.
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
Advisory: ======================== Updated subversion packages fix security vulnerabilities: mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat (CVE-2013-4505). When SVNAutoversioning is enabled via "SVNAutoversioning on", commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort (CVE-2013-4558). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558 http://subversion.apache.org/security/CVE-2013-4505-advisory.txt http://subversion.apache.org/security/CVE-2013-4558-advisory.txt https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.14-1.mga3 subversion-doc-1.7.14-1.mga3 libsvn0-1.7.14-1.mga3 libsvn-gnome-keyring0-1.7.14-1.mga3 libsvn-kwallet0-1.7.14-1.mga3 subversion-server-1.7.14-1.mga3 subversion-tools-1.7.14-1.mga3 python-svn-1.7.14-1.mga3 ruby-svn-1.7.14-1.mga3 libsvnjavahl1-1.7.14-1.mga3 svn-javahl-1.7.14-1.mga3 perl-SVN-1.7.14-1.mga3 subversion-kwallet-devel-1.7.14-1.mga3 subversion-gnome-keyring-devel-1.7.14-1.mga3 perl-svn-devel-1.7.14-1.mga3 python-svn-devel-1.7.14-1.mga3 ruby-svn-devel-1.7.14-1.mga3 subversion-devel-1.7.14-1.mga3 apache-mod_dav_svn-1.7.14-1.mga3 from subversion-1.7.14-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Advisory 11780.adv committed to svn
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete mageia 3 i586 and x86_64. Validating the update. Someone from the sysadmin team, please push 11780.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0360.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/575369/