Upstream has released version 1.8.11 on December 15, fixing two security issues:
Update checked into SVN for Mageia 4 and Cauldron.
Freeze push requested for Cauldron.
Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron.
Updated subversion packages fix security vulnerabilities:
A NULL pointer dereference flaw was found in the way mod_dav_svn handled
REPORT requests. A remote, unauthenticated attacker could use a crafted
REPORT request to crash mod_dav_svn (CVE-2014-3580).
A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs
for virtual transaction names. A remote, unauthenticated attacker could send
a request for a virtual transaction name that does not exist, causing
mod_dav_svn to crash (CVE-2014-8108).
Updated packages in core/updates_testing:
Quoting Rémi from last time...
There are bits of procedure here:
To follow that procedure, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one.
MGA4-32 on Acer D620,
Trying to install from Core uo-pdates resting I get in MCC:
Sorry, the following package cannot be selected:
Is this essential to the issue?
MGA44-64 on HP Probook 6555b
No installation issues, but trying to repeat the procedure of Comment 2, throws a problem. At the CLI:
svn import /home/xxxx/project/ file:///home/xxxx/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found
svn import -m "Test update" /home/tester4/project/ file:///home/tester4/svn/project
That seemed to do the trick.
Checkin and checkout OK
Then used su -l on second konsole tab to edit the subversion.conf file to refer to /home/xxxx/svn as SVN path and restart the httpd service, as I never use sudo
Pointing Firefox to http://http://localhost/svn/repos results in
Object not found ......Error 404
# DAV svn
# SVNPath /home/xxxx/svn
# # Limit write permission to list of valid users.
# <LimitExcept GET PROPFIND OPTIONS REPORT>
# # Require SSL connection for password protection.
# # SSLRequireSSL
# AuthType Basic
# AuthName "Authorization Realm"
# AuthUserFile /path/to/passwdfile
# AuthzSVNAccessFile /path/to/access/file
# Require valid-user
(In reply to Herman Viaene from comment #3)
> MGA4-32 on Acer D620,
> Trying to install from Core uo-pdates resting I get in MCC:
> Sorry, the following package cannot be selected:
> - subversion-kwallet-devel-1.8.11-1.mga4.i586
> Is this essential to the issue?
Why can't it be selected?
(In reply to Herman Viaene from comment #5)
> Subversion.conf file:
> <IfModule mod_dav_svn.c>
> #<Location /svn/repos>
> # DAV svn
> # SVNPath /home/xxxx/svn
> # # Limit write permission to list of valid users.
> # <LimitExcept GET PROPFIND OPTIONS REPORT>
> # # Require SSL connection for password protection.
> # # SSLRequireSSL
> # AuthType Basic
> # AuthName "Authorization Realm"
> # AuthUserFile /path/to/passwdfile
> # AuthzSVNAccessFile /path/to/access/file
> # Require valid-user
> # </LimitExcept>
It's commented out, that's why /svn/repos doesn't exist.
On Comment 5 : for other ones not to make the same mistakes, the 3 lines <Location>, SVNPath and </Location> have to be effective (not commented out.
Then the svn repos works OK
has_procedure MGA4-64 OK
(In reply to Herman Viaene from comment #7)
> On Comment 5 : for other ones not to make the same mistakes, the 3 lines
> <Location>, SVNPath and </Location> have to be effective (not commented out.
> Then the svn repos works OK
Four lines: forgot to mention DAV line
On Comment 6 ref. Comment 3
I first updated in MCC the core updates testing and then tried again to install subversion-kwallet-devel-1.8.11-1.mga4.i586, and this time it drew in a whole bunch of dependencies.
Oncce all packages installed, the test procedure runs OK.
Note on this subversion-kwallet. I do this test on a Xfce machine, installing this pack drew in 266 dependencies, of which the large majority is KDE related (of course, it is "K"wallet). But am I right in thinking that svn and apache are not really depending on KDE????
has_procedure MGA4-64 OK =>
has_procedure MGA4-64 OK MGA4-32-OK
LWN reference for CVE-2014-3580:
Nothing for CVE-2014-8108 yet.
has_procedure MGA4-64 OK MGA4-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
has_procedure MGA4-64-OK MGA4-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK advisoryCC:
An update for this issue has been pushed to Mageia Updates repository.
LWN reference for CVE-2014-8108: