Upstream has released version 1.8.14 on August 5:
It fixes two security issues. Mageia 4 and Mageia 5 are affected.
Debian has issued an advisory for this on August 10:
The DSA will be posted here:
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.
Updated subversion packages fix security vulnerabilities:
Subversion's mod_authz_svn does not properly restrict anonymous access in some
mixed anonymous/authenticated environments when using Apache httpd 2.4. The
result is that anonymous access may be possible to files for which only
authenticated access should be possible (CVE-2015-3184).
Subversion servers, both httpd and svnserve, will reveal some paths that
should be hidden by path-based authz. When a node is copied from an
unreadable location to a readable location the unreadable path may be
revealed. This vulnerablity only reveals the path, it does not reveal the
contents of the path (CVE-2015-3187).
This update also re-enables the java subpackage for the Mageia 5 subversion
Updated packages in core/updates_testing:
Steps to Reproduce:
(In reply to David Walser from comment #1)
> Testing procedure:
Note that in Mageia 4 we have to edit /etc/httpd/conf/conf.d/subversion.conf when following this procedure, not /etc/httpd/modules.d/something anymore.
Testing complete using the above procedure. David, I see in subversion's spec file that there is a test suite, but it's not run at build time. Do you know why?
MGA4TOO has_procedure =>
MGA4TOO has_procedure MGA4-64-OK
(In reply to Samuel VERSCHELDE from comment #3)
> Testing complete using the above procedure. David, I see in subversion's
> spec file that there is a test suite, but it's not run at build time. Do you
> know why?
No. I can try running it on the BS in Cauldron and see if it passes.
(In reply to David Walser from comment #4)
> (In reply to Samuel VERSCHELDE from comment #3)
> > Testing complete using the above procedure. David, I see in subversion's
> > spec file that there is a test suite, but it's not run at build time. Do you
> > know why?
> No. I can try running it on the BS in Cauldron and see if it passes.
OK I just looked at this in the SPEC, and I think the comment right at the top answers your question as to why this isn't enabled:
echo "This can take quite some time to finish, so please be patient..."
echo "Don't be too surprised it the tests takes 30 minutes on a dual xeon machine..."
Also, I don't know how long it's been since anyone tried to run it, so all that mess of setting up the LD_LIBRARY_PATH may not even still be correct, and if it's still needed, it doesn't appear that the make check is really designed to actually be used. Upstream should fix that for it to even be worth worrying about.
Updated SVN on my Mageia 5 64bit and used it to upload the advisory. It's a bit light for a test and only covers subversion, lib64svn0 and perl-SVN, but since Stormi tested the full procedure on Mageia 4 already, I'll add an OK.
MGA4TOO has_procedure MGA4-64-OK =>
MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK advisory
Regarding Bug 16075, I have tested the Mageia 5 update and, for me, all is ok now.
An update for this issue has been pushed to Mageia Updates repository.