Upstream has released version 1.8.11 on December 15, fixing two security issues: https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.11/CHANGES Update checked into SVN for Mageia 4 and Cauldron. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO,
Whiteboard: MGA4TOO, => MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated subversion packages fix security vulnerabilities: A NULL pointer dereference flaw was found in the way mod_dav_svn handled REPORT requests. A remote, unauthenticated attacker could use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580). A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs for virtual transaction names. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash (CVE-2014-8108). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108 http://subversion.apache.org/security/CVE-2014-3580-advisory.txt http://subversion.apache.org/security/CVE-2014-8108-advisory.txt https://bugzilla.redhat.com/show_bug.cgi?id=1174054 https://bugzilla.redhat.com/show_bug.cgi?id=1174057 ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.11-1.mga4 subversion-doc-1.8.11-1.mga4 libsvn0-1.8.11-1.mga4 libsvn-gnome-keyring0-1.8.11-1.mga4 libsvn-kwallet0-1.8.11-1.mga4 subversion-server-1.8.11-1.mga4 subversion-tools-1.8.11-1.mga4 python-svn-1.8.11-1.mga4 ruby-svn-1.8.11-1.mga4 libsvnjavahl1-1.8.11-1.mga4 svn-javahl-1.8.11-1.mga4 perl-SVN-1.8.11-1.mga4 subversion-kwallet-devel-1.8.11-1.mga4 subversion-gnome-keyring-devel-1.8.11-1.mga4 perl-svn-devel-1.8.11-1.mga4 python-svn-devel-1.8.11-1.mga4 ruby-svn-devel-1.8.11-1.mga4 subversion-devel-1.8.11-1.mga4 apache-mod_dav_svn-1.8.11-1.mga4 from subversion-1.8.11-1.mga4.src.rpm
Severity: normal => majorVersion: Cauldron => 4Whiteboard: MGA4TOO => (none)Assignee: bugsquad => qa-bugs
Quoting Rémi from last time... There are bits of procedure here: https://bugs.mageia.org/show_bug.cgi?id=10895#c4 To follow that procedure, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one.
Whiteboard: (none) => has_procedure
MGA4-32 on Acer D620, Trying to install from Core uo-pdates resting I get in MCC: Sorry, the following package cannot be selected: - subversion-kwallet-devel-1.8.11-1.mga4.i586 Is this essential to the issue?
CC: (none) => herman.viaene
MGA44-64 on HP Probook 6555b No installation issues, but trying to repeat the procedure of Comment 2, throws a problem. At the CLI: svn import /home/xxxx/project/ file:///home/xxxx/svn/project svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found I tried svn import -m "Test update" /home/tester4/project/ file:///home/tester4/svn/project That seemed to do the trick. Checkin and checkout OK Then used su -l on second konsole tab to edit the subversion.conf file to refer to /home/xxxx/svn as SVN path and restart the httpd service, as I never use sudo Pointing Firefox to http://http://localhost/svn/repos results in Object not found ......Error 404
Subversion.conf file: <IfModule mod_dav_svn.c> #<Location /svn/repos> # DAV svn # SVNPath /home/xxxx/svn # # # Limit write permission to list of valid users. # <LimitExcept GET PROPFIND OPTIONS REPORT> # # Require SSL connection for password protection. # # SSLRequireSSL # # AuthType Basic # AuthName "Authorization Realm" # AuthUserFile /path/to/passwdfile # AuthzSVNAccessFile /path/to/access/file # Require valid-user # </LimitExcept> #</Location> </IfModule>
(In reply to Herman Viaene from comment #3) > MGA4-32 on Acer D620, > Trying to install from Core uo-pdates resting I get in MCC: > Sorry, the following package cannot be selected: > > - subversion-kwallet-devel-1.8.11-1.mga4.i586 > Is this essential to the issue? Why can't it be selected? (In reply to Herman Viaene from comment #5) > Subversion.conf file: > <IfModule mod_dav_svn.c> > > #<Location /svn/repos> > # DAV svn > # SVNPath /home/xxxx/svn > # > # # Limit write permission to list of valid users. > # <LimitExcept GET PROPFIND OPTIONS REPORT> > # # Require SSL connection for password protection. > # # SSLRequireSSL > # > # AuthType Basic > # AuthName "Authorization Realm" > # AuthUserFile /path/to/passwdfile > # AuthzSVNAccessFile /path/to/access/file > # Require valid-user > # </LimitExcept> > #</Location> > > </IfModule> It's commented out, that's why /svn/repos doesn't exist.
On Comment 5 : for other ones not to make the same mistakes, the 3 lines <Location>, SVNPath and </Location> have to be effective (not commented out. Then the svn repos works OK
Whiteboard: has_procedure => has_procedure MGA4-64 OK
(In reply to Herman Viaene from comment #7) > On Comment 5 : for other ones not to make the same mistakes, the 3 lines > <Location>, SVNPath and </Location> have to be effective (not commented out. > Then the svn repos works OK Four lines: forgot to mention DAV line
On Comment 6 ref. Comment 3 I first updated in MCC the core updates testing and then tried again to install subversion-kwallet-devel-1.8.11-1.mga4.i586, and this time it drew in a whole bunch of dependencies. Oncce all packages installed, the test procedure runs OK. Note on this subversion-kwallet. I do this test on a Xfce machine, installing this pack drew in 266 dependencies, of which the large majority is KDE related (of course, it is "K"wallet). But am I right in thinking that svn and apache are not really depending on KDE????
Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-64 OK MGA4-32-OK
LWN reference for CVE-2014-3580: http://lwn.net/Vulnerabilities/627315/ Nothing for CVE-2014-8108 yet.
URL: (none) => http://lwn.net/Vulnerabilities/627315/
Whiteboard: has_procedure MGA4-64 OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0545.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
LWN reference for CVE-2014-8108: http://lwn.net/Vulnerabilities/627592/