Debian has issued an advisory today (April 29): https://www.debian.org/security/2016/dsa-3561 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated subversion packages fix security vulnerabilities: Daniel Shahaf and James McCoy discovered that an implementation error in the authentication against the Cyrus SASL library would permit a remote user to specify a realm string which is a prefix of the expected realm string and potentially allowing a user to authenticate using the wrong realm (CVE-2016-2167). Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service vulnerability in the mod_authz_svn module during COPY or MOVE authorization check. An authenticated remote attacker could take advantage of this flaw to cause a denial of service (Subversion server crash) via COPY or MOVE requests with specially crafted header (CVE-2016-2168). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168 http://mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgJet+7_MAhomFVOXPgLtewcUw9w=k9zdPCkq5tvPxVMA@mail.gmail.com%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.16/CHANGES http://subversion.apache.org/security/CVE-2016-2167-advisory.txt http://subversion.apache.org/security/CVE-2016-2168-advisory.txt https://www.debian.org/security/2016/dsa-3561 ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.16-1.mga5 subversion-doc-1.8.16-1.mga5 libsvn0-1.8.16-1.mga5 libsvn-gnome-keyring0-1.8.16-1.mga5 libsvn-kwallet0-1.8.16-1.mga5 subversion-server-1.8.16-1.mga5 subversion-tools-1.8.16-1.mga5 python-svn-1.8.16-1.mga5 ruby-svn-1.8.16-1.mga5 libsvnjavahl1-1.8.16-1.mga5 svn-javahl-1.8.16-1.mga5 perl-SVN-1.8.16-1.mga5 subversion-kwallet-devel-1.8.16-1.mga5 subversion-gnome-keyring-devel-1.8.16-1.mga5 perl-svn-devel-1.8.16-1.mga5 python-svn-devel-1.8.16-1.mga5 ruby-svn-devel-1.8.16-1.mga5 subversion-devel-1.8.16-1.mga5 apache-mod_dav_svn-1.8.16-1.mga5 from subversion-1.8.16-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14826#c2
Whiteboard: (none) => has_procedure
x86_64 Installed all the packages listed and carried out the setting-up instructions outlined in bug 10895 #4. $ svnadmin create --fs-type fsfs ~/svn $ cd $ mkdir project $ cd project $ mkdir bin $ mkdir src $ mkdir doc Updated all as listed. $ echo test > doc/index.html $ echo whatever > src/Makefile $ svn import ~/project/ file:///home/lcl/svn/project/trunk -m 'Initial import' Adding bin Adding doc Adding doc/index.html Adding src Adding src/Makefile Committed revision 1. $ cd $ rm -rf project $ svn checkout file:///home/lcl/svn/project A project/trunk A project/trunk/doc A project/trunk/doc/index.html A project/trunk/src A project/trunk/src/Makefile A project/trunk/bin Checked out revision 1. $ cd project $ ls -a . .. .svn trunk $ svn info Path: . Working Copy Root Path: /home/lcl/project URL: file:///home/lcl/svn/project Relative URL: ^/project Repository Root: file:///home/lcl/svn Repository UUID: e0eb750c-cb4b-45e1-8e3d-535e378144aa Revision: 1 Node Kind: directory Schedule: normal Last Changed Author: lcl Last Changed Rev: 1 Last Changed Date: 2016-04-30 20:17:57 +0100 (Sat, 30 Apr 2016) Edited /etc/httpd/conf/conf.d/subversion.conf to point to /home/lcl/svn. $ sudo systemctl restart httpd.service Job for httpd.service failed. See "systemctl status httpd.service" and "journalctl -xe" for details. $ sudo systemctl -l status httpd.service รข httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: failed (Result: exit-code) since Sat 2016-04-30 20:56:39 BST; 1min 13s ago Process: 32615 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 32615 (code=exited, status=1/FAILURE) Apr 30 20:56:39 vega httpd[32615]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/modules.d/10_mod_nss.conf: Cannot load modules/libmodnss.so into server: /etc/httpd/modules/libmodnss.so: cannot open shared object file: No such file or directory Apr 30 20:56:39 vega systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Apr 30 20:56:39 vega systemd[1]: Failed to start The Apache HTTP Server. Apr 30 20:56:39 vega systemd[1]: Unit httpd.service entered failed state. Apr 30 20:56:39 vega systemd[1]: httpd.service failed. Line 54 of httpd.conf reads: Include conf/modules.d/*.conf and /etc/httpd/conf/modules.d/10_mod_nss.conf starts with: LoadModule dav_svn_module modules/mod_dav_svn.so $ ls /etc/httpd/modules/lib*nss.so* ls: cannot access modules/lib*nss.so*: No such file or directory $ urpmq --whatprovides libmodnss No package named libmodnss Looks like my system is missing something.
CC: (none) => tarazed25
$ sudo urpme apache-mod_nss $ sudo urpmi apache-mod_nss apache-mod_nss certificate database generated # systemctl start httpd.service Fine.
$ firefox http://localhost/svn/repos Shows this in the browser: repos - Revision 1: / project/ project -> trunk trunk -> bin/ doc/ src/ etc. etc. Good for 64-bit
Whiteboard: has_procedure => has_procedure MGA5-64-OK
i586 in virtualbox Updated all the packages listed and carried out the setting-up instructions for a dummy project from bug 10895 #c4, exactly as in the 64-bit test; committed project to svn, removed project directory and checked out the project, which recreated the project directory. $ ls -a project . .. .svn trunk $ ls project/trunk $ cd project $ svn info Path: . Working Copy Root Path: /home/lcl/project URL: file:///home/lcl/svn/project Relative URL: ^/project Repository Root: file:///home/lcl/svn Repository UUID: e4d39550-3a9f-4e2e-be80-86301193ee89 Revision: 1 Node Kind: directory Schedule: normal Last Changed Author: lcl Last Changed Rev: 1 Last Changed Date: 2016-05-01 11:12:05 +0100 (Sun, 01 May 2016) bin doc src $ sudo vi /etc/httpd/conf/conf.d/subversion.conf $ sudo systemctl restart httpd.service $ firefox http://localhost/svn/repos This brought up the project page in the browser. Validating this for both architectures. Would someone in sysadmin please push to updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0161.html
Status: NEW => RESOLVEDResolution: (none) => FIXED