Subversion 1.8.17 has been released on November 29: https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E It fixes one security issue: http://subversion.apache.org/security/CVE-2016-8734-advisory.txt and other bugs: http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES Updated committed in SVN.
Updated packages submitted to the build system, hopefully to be available some time tonight. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14826#c2 Advisory: ======================== Updated subversion packages fix security vulnerability: Subversion's mod_dontdothat module and clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resources or memory (CVE-2016-8734). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734 https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES http://subversion.apache.org/security/CVE-2016-8734-advisory.txt ======================== Updated packages in core/updates_testing: ======================== subversion-1.8.17-1.mga5 subversion-doc-1.8.17-1.mga5 libsvn0-1.8.17-1.mga5 libsvn-gnome-keyring0-1.8.17-1.mga5 libsvn-kwallet0-1.8.17-1.mga5 subversion-server-1.8.17-1.mga5 subversion-tools-1.8.17-1.mga5 python-svn-1.8.17-1.mga5 ruby-svn-1.8.17-1.mga5 libsvnjavahl1-1.8.17-1.mga5 svn-javahl-1.8.17-1.mga5 perl-SVN-1.8.17-1.mga5 subversion-kwallet-devel-1.8.17-1.mga5 subversion-gnome-keyring-devel-1.8.17-1.mga5 perl-svn-devel-1.8.17-1.mga5 python-svn-devel-1.8.17-1.mga5 ruby-svn-devel-1.8.17-1.mga5 subversion-devel-1.8.17-1.mga5 apache-mod_dav_svn-1.8.17-1.mga5 from subversion-1.8.17-1.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
CC: (none) => youpburdenWhiteboard: has_procedure => (none)
Whiteboard: (none) => has_procedure
URL: (none) => https://lwn.net/Vulnerabilities/708883/
MGA5-32 on Acer D620 Xfce No installation issues Followed procedure as per bug 14826, all works OK
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Testing M5 x64 Since the 'procedure' referred to in Comment 1 and above is somewhat scattered, I recapitulate it all here. Make sure you have at least: apache-mod_dav_svn subversion subversion-tools + dependancies installed. $ svnadmin create --fs-type fsfs /home/<user>/svn $ mkdir project $ cd project/ $ mkdir bin $ mkdir src $ mkdir doc $ echo test > doc/index.html $ echo stuff > src/Makefile $ svn import /home/<user>/project/ file:///home/<user>/svn/project/trunk -m 'Initial import' Adding bin Adding doc Adding doc/index.html Adding src Adding src/Makefile Committed revision 1. $ cd $ rm -rf project $ svn checkout file:///home/<user>/svn/project A project/trunk A project/trunk/doc A project/trunk/doc/index.html A project/trunk/src A project/trunk/src/Makefile A project/trunk/bin Checked out revision 1. # [edit] /etc/httpd/conf/conf.d/subversion.conf Uncomment just the 4 lines: <Location /svn/repos> DAV svn SVNPath /home/<user>/svn [leave # lines down to...] </Location> # systemctl restart httpd Browse http://localhost/svn/repos, "shows the contents of the svn repo". ----------- Installed from normal repos the packages indicated, then updated them to: apache-mod_dav_svn-1.8.17-1.mga5 lib64svn0-1.8.17-1.mga5 perl-SVN-1.8.17-1.mga5 subversion-1.8.17-1.mga5 subversion-tools-1.8.17-1.mga5 Ran the procedure as described above, but the final step http://localhost/svn/repos ended badly: <D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:"> <C:error/> <m:human-readable errcode="13"> Could not open the requested SVN filesystem </m:human-readable> </D:error> $ ls -l /home/lewis/svn drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 conf/ drwxr-sr-x 6 lewis lewis 4096 Ion 3 20:13 db/ -r--r--r-- 1 lewis lewis 2 Ion 3 20:09 format drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 hooks/ drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 locks/ -rw-r--r-- 1 lewis lewis 246 Ion 3 20:09 README.txt # less /etc/httpd/conf/conf.d/subversion.conf <IfModule mod_dav_svn.c> <Location /svn/repos> DAV svn SVNPath /home/lewis/svn # ... </Location> </IfModule> Hoping for an explanantion before giving the OK.
(In reply to Lewis Smith from comment #3) > Testing M5 x64 > > Since the 'procedure' referred to in Comment 1 and above is somewhat > scattered, I recapitulate it all here. > Make sure you have at least: > apache-mod_dav_svn > subversion > subversion-tools > + dependancies installed. > > $ svnadmin create --fs-type fsfs /home/<user>/svn > $ mkdir project > $ cd project/ > $ mkdir bin > $ mkdir src > $ mkdir doc > $ echo test > doc/index.html > $ echo stuff > src/Makefile > $ svn import /home/<user>/project/ file:///home/<user>/svn/project/trunk -m > 'Initial import' > Adding bin > Adding doc > Adding doc/index.html > Adding src > Adding src/Makefile > > Committed revision 1. > $ cd > $ rm -rf project > $ svn checkout file:///home/<user>/svn/project > A project/trunk > A project/trunk/doc > A project/trunk/doc/index.html > A project/trunk/src > A project/trunk/src/Makefile > A project/trunk/bin > Checked out revision 1. > > # [edit] /etc/httpd/conf/conf.d/subversion.conf > Uncomment just the 4 lines: > <Location /svn/repos> > DAV svn > SVNPath /home/<user>/svn > [leave # lines down to...] > </Location> > > # systemctl restart httpd > > Browse http://localhost/svn/repos, "shows the contents of the svn repo". > > ----------- > > Installed from normal repos the packages indicated, then updated them to: > apache-mod_dav_svn-1.8.17-1.mga5 > lib64svn0-1.8.17-1.mga5 > perl-SVN-1.8.17-1.mga5 > subversion-1.8.17-1.mga5 > subversion-tools-1.8.17-1.mga5 > > Ran the procedure as described above, but the final step > http://localhost/svn/repos ended badly: > > <D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:"> > <C:error/> > <m:human-readable errcode="13"> > Could not open the requested SVN filesystem > </m:human-readable> > </D:error> > > $ ls -l /home/lewis/svn > drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 conf/ > drwxr-sr-x 6 lewis lewis 4096 Ion 3 20:13 db/ > -r--r--r-- 1 lewis lewis 2 Ion 3 20:09 format > drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 hooks/ > drwxr-xr-x 2 lewis lewis 4096 Ion 3 20:09 locks/ > -rw-r--r-- 1 lewis lewis 246 Ion 3 20:09 README.txt > > # less /etc/httpd/conf/conf.d/subversion.conf > <IfModule mod_dav_svn.c> > > <Location /svn/repos> > DAV svn > SVNPath /home/lewis/svn > # ... > </Location> > > </IfModule> > > Hoping for an explanantion before giving the OK. From my experience, Apache is sometimes configured to block read/write access to directories under /home. Perhaps we should try again with a path somewhere under / (/var or whatever).
CC: (none) => shlomif
With the repository under /var/svn/test1, this works fine on a mageia 5 x86-64 VBox VM. I'll attach the user and root typescripts in the next comments.
Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OK
Created attachment 8837 [details] root shell typescript
Created attachment 8838 [details] shlomif user typescript to testing this update as generated by the "script" command.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0009.html
Status: NEW => RESOLVEDResolution: (none) => FIXED