Upstream has released version 1.8.13 on March 31, fixing three security issues: http://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120220.GO17807%40jim.stsp.name%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.13/CHANGES Update checked into SVN for Mageia 4 and Cauldron. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Full advisory to come later. For now, see the upstream references in Comment 0. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14826#c2 Updated packages in core/updates_testing: ======================== subversion-1.8.13-1.mga4 subversion-doc-1.8.13-1.mga4 libsvn0-1.8.13-1.mga4 libsvn-gnome-keyring0-1.8.13-1.mga4 libsvn-kwallet0-1.8.13-1.mga4 subversion-server-1.8.13-1.mga4 subversion-tools-1.8.13-1.mga4 python-svn-1.8.13-1.mga4 ruby-svn-1.8.13-1.mga4 libsvnjavahl1-1.8.13-1.mga4 svn-javahl-1.8.13-1.mga4 perl-SVN-1.8.13-1.mga4 subversion-kwallet-devel-1.8.13-1.mga4 subversion-gnome-keyring-devel-1.8.13-1.mga4 perl-svn-devel-1.8.13-1.mga4 python-svn-devel-1.8.13-1.mga4 ruby-svn-devel-1.8.13-1.mga4 subversion-devel-1.8.13-1.mga4 apache-mod_dav_svn-1.8.13-1.mga4 from subversion-1.8.13-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Advisory: ======================== Updated subversion packages fix security vulnerabilities: Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests (CVE-2015-0202). Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers (CVE-2015-0248). Subversion HTTP servers allow spoofing svn:author property values for new revisions (CVE-2015-0251). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0251 http://subversion.apache.org/security/CVE-2015-0202-advisory.txt http://subversion.apache.org/security/CVE-2015-0248-advisory.txt http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
URL: (none) => http://lwn.net/Vulnerabilities/639042/
Looking at this x64. While I have the info, this link: http://maverick.inria.fr/~Xavier.Decoret/resources/svn/index.html looks like a good tutorial about SVN to help understand it & test it basically.
CC: (none) => lewyssmith
Please see the prior linked testing procedure. I can already confirm that regular svn works fine. It's mod_dav_svn that needs to be tested.
Testing complete mga4 64 Tested generally when uploading advisories. Ensured svnserve service starts ok. Tested apache-mod_dav_svn specifically.. Created a basic svn repository to test with $ svnadmin create --fs-type fsfs /home/$USER/svn $ svn mkdir file:///home/$USER/svn/foo -m "created dumb directory" Committed revision 1. $ svn ls file:///home/$USER/svn foo/ Edited the apache-mod_dav_svn conf file.. # nano /etc/httpd/conf/conf.d/subversion.conf # cat /etc/httpd/conf/conf.d/subversion.conf <IfModule mod_dav_svn.c> <Location /svn/repos> DAV svn SVNPath /home/claire/svn # # # Limit write permission to list of valid users. # <LimitExcept GET PROPFIND OPTIONS REPORT> # # Require SSL connection for password protection. # # SSLRequireSSL # # AuthType Basic # AuthName "Authorization Realm" # AuthUserFile /path/to/passwdfile # AuthzSVNAccessFile /path/to/access/file # Require valid-user # </LimitExcept> </Location> </IfModule> Restart httpd.. # systemctl restart httpd.service Browse to http://localhost/svn/repos/ and see.. repos - Revision 1: / foo/
Whiteboard: has_procedure => has_procedure mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0177.html
Status: NEW => RESOLVEDResolution: (none) => FIXED