Upstream has released version 1.8.14 on August 5: http://svn.haxx.se/dev/archive-2015-08/0024.shtml http://svn.apache.org/repos/asf/subversion/tags/1.8.14/CHANGES It fixes two security issues. Mageia 4 and Mageia 5 are affected. Debian has issued an advisory for this on August 10: https://lists.debian.org/debian-security-announce/2015/msg00229.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3331 Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated subversion packages fix security vulnerabilities: Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible (CVE-2015-3184). Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz. When a node is copied from an unreadable location to a readable location the unreadable path may be revealed. This vulnerablity only reveals the path, it does not reveal the contents of the path (CVE-2015-3187). This update also re-enables the java subpackage for the Mageia 5 subversion package (mga#16075). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3187 http://subversion.apache.org/security/CVE-2015-3184-advisory.txt http://subversion.apache.org/security/CVE-2015-3187-advisory.txt http://svn.haxx.se/dev/archive-2015-08/0024.shtml http://svn.apache.org/repos/asf/subversion/tags/1.8.14/CHANGES https://bugs.mageia.org/show_bug.cgi?id=16075 https://bugs.mageia.org/show_bug.cgi?id=16572 ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.14-1.mga4 subversion-doc-1.8.14-1.mga4 libsvn0-1.8.14-1.mga4 libsvn-gnome-keyring0-1.8.14-1.mga4 libsvn-kwallet0-1.8.14-1.mga4 subversion-server-1.8.14-1.mga4 subversion-tools-1.8.14-1.mga4 python-svn-1.8.14-1.mga4 ruby-svn-1.8.14-1.mga4 libsvnjavahl1-1.8.14-1.mga4 svn-javahl-1.8.14-1.mga4 perl-SVN-1.8.14-1.mga4 subversion-kwallet-devel-1.8.14-1.mga4 subversion-gnome-keyring-devel-1.8.14-1.mga4 perl-svn-devel-1.8.14-1.mga4 python-svn-devel-1.8.14-1.mga4 ruby-svn-devel-1.8.14-1.mga4 subversion-devel-1.8.14-1.mga4 apache-mod_dav_svn-1.8.14-1.mga4 subversion-1.8.14-1.mga5 subversion-doc-1.8.14-1.mga5 libsvn0-1.8.14-1.mga5 libsvn-gnome-keyring0-1.8.14-1.mga5 libsvn-kwallet0-1.8.14-1.mga5 subversion-server-1.8.14-1.mga5 subversion-tools-1.8.14-1.mga5 python-svn-1.8.14-1.mga5 ruby-svn-1.8.14-1.mga5 libsvnjavahl1-1.8.14-1.mga5 svn-javahl-1.8.14-1.mga5 perl-SVN-1.8.14-1.mga5 subversion-kwallet-devel-1.8.14-1.mga5 subversion-gnome-keyring-devel-1.8.14-1.mga5 perl-svn-devel-1.8.14-1.mga5 python-svn-devel-1.8.14-1.mga5 ruby-svn-devel-1.8.14-1.mga5 subversion-devel-1.8.14-1.mga5 apache-mod_dav_svn-1.8.14-1.mga5 from SRPMS: subversion-1.8.14-1.mga4.src.rpm subversion-1.8.14-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14826#c2
Blocks: (none) => 16075Whiteboard: (none) => MGA4TOO has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/654148/
(In reply to David Walser from comment #1) > Testing procedure: > https://bugs.mageia.org/show_bug.cgi?id=14826#c2 Note that in Mageia 4 we have to edit /etc/httpd/conf/conf.d/subversion.conf when following this procedure, not /etc/httpd/modules.d/something anymore.
Testing complete using the above procedure. David, I see in subversion's spec file that there is a test suite, but it's not run at build time. Do you know why?
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK
(In reply to Samuel VERSCHELDE from comment #3) > Testing complete using the above procedure. David, I see in subversion's > spec file that there is a test suite, but it's not run at build time. Do you > know why? No. I can try running it on the BS in Cauldron and see if it passes.
(In reply to David Walser from comment #4) > (In reply to Samuel VERSCHELDE from comment #3) > > Testing complete using the above procedure. David, I see in subversion's > > spec file that there is a test suite, but it's not run at build time. Do you > > know why? > > No. I can try running it on the BS in Cauldron and see if it passes. OK I just looked at this in the SPEC, and I think the comment right at the top answers your question as to why this isn't enabled: echo "This can take quite some time to finish, so please be patient..." echo "Don't be too surprised it the tests takes 30 minutes on a dual xeon machine..." Also, I don't know how long it's been since anyone tried to run it, so all that mess of setting up the LD_LIBRARY_PATH may not even still be correct, and if it's still needed, it doesn't appear that the make check is really designed to actually be used. Upstream should fix that for it to even be worth worrying about.
Updated SVN on my Mageia 5 64bit and used it to upload the advisory. It's a bit light for a test and only covers subversion, lib64svn0 and perl-SVN, but since Stormi tested the full procedure on Mageia 4 already, I'll add an OK.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK advisory
Hi, Regarding Bug 16075, I have tested the Mageia 5 update and, for me, all is ok now. Best regards, Nico.
CC: (none) => nicolas.salguero
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0326.html
Status: NEW => RESOLVEDResolution: (none) => FIXED