A security issue in subversion was fixed upstream and assigned a CVE: http://openwall.com/lists/oss-security/2014/08/01/4 Links to the upstream commits to fix the issue are linked in the message above. Those commits are from the development branch. It appears that upstream is planning to backport them to 1.7 and 1.8. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Subversion 1.7.18 and 1.8.10 have been released on August 11: https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6B7.3010503@apache.org%3E http://svn.apache.org/repos/asf/subversion/tags/1.7.18/CHANGES It fixes CVE-2014-3528 as well as CVE-2014-3522. Updated to 1.8.10 in SVN, but it doesn't build now in Cauldron because of Java breakage: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140812150817.luigiwalser.valstar.10045/log/subversion-1.8.10-1.mga5/build.0.20140812150904.log
CC: (none) => dmorganecSummary: subversion new security issue CVE-2014-3528 => subversion new security issues CVE-2014-3522 and CVE-2014-3528
Ubuntu has issued an advisory for this on August 14: http://www.ubuntu.com/usn/usn-2316-1/
URL: (none) => http://lwn.net/Vulnerabilities/608738/
subversion-1.8.10-1.mga5 built and uploaded in Cauldron. Note that Mageia 3 is not vulnerable to CVE-2014-3522 due to our package not being built with serf support. It is vulnerable in Mageia 4.
CC: dmorganec => (none)Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => major
Updated package uploaded for Mageia 4. Patched package uploaded for Mageia 3. Advisory (Mageia 3): ======================== Updated subversion packages fix security vulnerability: Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). The subversion package has been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528 http://subversion.apache.org/security/CVE-2014-3528-advisory.txt http://www.ubuntu.com/usn/usn-2316-1/ ======================== Updated packages in core/updates_testing: ======================== subversion-1.7.14-1.2.mga3 subversion-doc-1.7.14-1.2.mga3 libsvn0-1.7.14-1.2.mga3 libsvn-gnome-keyring0-1.7.14-1.2.mga3 libsvn-kwallet0-1.7.14-1.2.mga3 subversion-server-1.7.14-1.2.mga3 subversion-tools-1.7.14-1.2.mga3 python-svn-1.7.14-1.2.mga3 ruby-svn-1.7.14-1.2.mga3 libsvnjavahl1-1.7.14-1.2.mga3 svn-javahl-1.7.14-1.2.mga3 perl-SVN-1.7.14-1.2.mga3 subversion-kwallet-devel-1.7.14-1.2.mga3 subversion-gnome-keyring-devel-1.7.14-1.2.mga3 perl-svn-devel-1.7.14-1.2.mga3 python-svn-devel-1.7.14-1.2.mga3 ruby-svn-devel-1.7.14-1.2.mga3 subversion-devel-1.7.14-1.2.mga3 apache-mod_dav_svn-1.7.14-1.2.mga3 from subversion-1.7.14-1.2.mga3.src.rpm Advisory (Mageia 4): ======================== Updated subversion packages fix security vulnerabilities: Ben Reser discovered that Subversion did not correctly validate SSL certificates containing wildcards. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications (CVE-2014-3522). Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). The subversion package has been updated to 1.8.10 to fix these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528 http://subversion.apache.org/security/CVE-2014-3522-advisory.txt http://subversion.apache.org/security/CVE-2014-3528-advisory.txt https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES http://www.ubuntu.com/usn/usn-2316-1/ ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.10-1.mga4 subversion-doc-1.8.10-1.mga4 libsvn0-1.8.10-1.mga4 libsvn-gnome-keyring0-1.8.10-1.mga4 libsvn-kwallet0-1.8.10-1.mga4 subversion-server-1.8.10-1.mga4 subversion-tools-1.8.10-1.mga4 python-svn-1.8.10-1.mga4 ruby-svn-1.8.10-1.mga4 libsvnjavahl1-1.8.10-1.mga4 svn-javahl-1.8.10-1.mga4 perl-SVN-1.8.10-1.mga4 subversion-kwallet-devel-1.8.10-1.mga4 subversion-gnome-keyring-devel-1.8.10-1.mga4 perl-svn-devel-1.8.10-1.mga4 python-svn-devel-1.8.10-1.mga4 ruby-svn-devel-1.8.10-1.mga4 subversion-devel-1.8.10-1.mga4 apache-mod_dav_svn-1.8.10-1.mga4 from subversion-1.8.10-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
There are bits of procedure here: https://bugs.mageia.org/show_bug.cgi?id=10895#c4
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Works fine Mageia 3 i586.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK
To follow the procedure in comment 5, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one.
Testing complete Mageia 4 x86_64.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: subversion default install of subversion [root@localhost wilcal]# urpmi subversion Package subversion-1.8.8-1.mga4.i586 is already installed [wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn bash: svnadmin: command not found What next? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
(In reply to William Kenney from comment #9) > What next? Rémi already answered that question, twice: https://bugs.mageia.org/show_bug.cgi?id=10895#c8 https://bugs.mageia.org/show_bug.cgi?id=13838#c7
Did it again: In VirtualBox, M4, KDE, 32-bit Package(s) under test: subversion subversion-tools apache-mod_dav_svn default install of subversion, subversion-tools, apache-mod_dav_svn [root@localhost project]# urpmi subversion Package subversion-1.8.8-1.mga4.i586 is already installed [root@localhost project]# urpmi subversion-tools Package subversion-tools-1.8.8-1.mga4.i586 is already installed [root@localhost project]# urpmi apache-mod_dav_svn Package apache-mod_dav_svn-1.8.8-1.mga4.i586 is already installed [wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn creates svn directory with subversion subdirectories and files. wilcal@localhost ~]$ cd project [wilcal@localhost project]$ ls -al total 24 drwxrwxr-x 5 wilcal wilcal 4096 Aug 19 10:24 ./ drwxr-xr-x 38 wilcal wilcal 4096 Aug 19 10:24 ../ drwxrwxr-x 2 wilcal wilcal 4096 Aug 19 10:24 bin/ -rw------- 1 wilcal wilcal 60 Aug 19 10:24 .directory drwxrwxr-x 2 wilcal wilcal 4096 Aug 19 10:24 doc/ drwxrwxr-x 2 wilcal wilcal 4096 Aug 19 10:24 src/ [wilcal@localhost project]$ echo test>doc/index.html [wilcal@localhost project]$ echo stuff>src/Makefile All went well to here: [wilcal@localhost project]$ svn import /home/wilcal/project/ file:///home/wilcal/svn/project svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This can be validated once the advisory is uploaded.
Validating. Separate advisories uploaded for mga3 and mga4 Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0338.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0339.html