Bug 2239 - update candidate : subversion 1.6.17, for better upgrade from 2010.2
Summary: update candidate : subversion 1.6.17, for better upgrade from 2010.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: Security, validated_update
: 1521 (view as bug list)
Depends on:
Blocks: 1700
  Show dependency treegraph
 
Reported: 2011-07-22 16:52 CEST by Michael Scherer
Modified: 2011-09-02 00:12 CEST (History)
7 users (show)

See Also:
Source RPM: subversion
CVE:
Status comment:


Attachments

Description Michael Scherer 2011-07-22 16:52:04 CEST
Description of problem:
Mandriva 2010.2 is offering subversion 1.6.17, as a update since 4th june. This break the upgrade path to Mageia, since we have only 1.6.16.
Comment 1 D Morgan 2011-07-22 17:19:04 CEST
this package is now on updates_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Samuel Verschelde 2011-07-22 17:47:12 CEST

CC: (none) => stormi
Summary: upgrade path from 2010.2 broken => update candidate : subversion 1.6.17, for better upgrade from 2010.2

Comment 2 Michael Scherer 2011-07-22 17:59:41 CEST
1.6.17 is a bugfixes only release, with 3 CVE fixed.
Comment 3 Samuel Verschelde 2011-07-24 22:52:49 CEST
The package works well, no regression spotted so far, on i586.
Comment 4 José Jorge 2011-07-25 10:19:15 CEST
ok in x86_64.

Keywords: (none) => validated_update
CC: (none) => lists.jjorge

Comment 5 Michael Scherer 2011-07-26 01:44:59 CEST
Why 0.1 as a release ?
Comment 6 D Morgan 2011-07-26 02:27:38 CEST
should have been 1.1 but i used %mkrel 0 and subrel 1  because i misused subrel ( was my first rpm using it ) but i don't think this is a real pb. is it ?
Comment 7 Samuel Verschelde 2011-07-26 09:16:59 CEST
It is :

subversion-1.6.17-0.1mdv2010.2.i586.rpm > subversion-1.6.17-0.1.mga1.i586.rpm IINM (because of the dot before mga1)

So we need a higher release. Increasing subrel is not enough here because it can be increased too in mdv, so better increase release to make sure there are no problems (unless they do another version upgrade of course)
Comment 8 Ahmad Samir 2011-07-26 10:48:42 CEST
Actually, ATM the mga package is higher than the mdv one:
$ rpmdev-vercmp 1.6.17-0.1mdv2010.2.i586 1.6.17-0.1.mga1.i586
1.6.17-0.1mdv2010.2.i586 < 1.6.17-0.1.mga1.i586

but to make it work with future mdv updates to 2010.2, better to increase the rel; right now it's subversion-1.6.17-2.mga2 in cauldron so a 1.x.mga1 should still be upgradable.
Comment 9 Samuel Verschelde 2011-07-26 11:36:12 CEST
(In reply to comment #8)
> Actually, ATM the mga package is higher than the mdv one:
> $ rpmdev-vercmp 1.6.17-0.1mdv2010.2.i586 1.6.17-0.1.mga1.i586
> 1.6.17-0.1mdv2010.2.i586 < 1.6.17-0.1.mga1.i586
> 

I knew my "IINM" was not useless :) Thanks for the rectification.
Comment 10 Samuel Verschelde 2011-07-26 12:02:58 CEST
Un-validating until release is fixed.

Keywords: validated_update => (none)

Comment 11 Samuel Verschelde 2011-07-29 23:24:16 CEST
release set to 1 according to policy.

Assigning to security team as it's a security update.

CC: (none) => qa-bugs
Assignee: qa-bugs => security

Comment 12 Samuel Verschelde 2011-07-30 23:37:24 CEST
*** Bug 1521 has been marked as a duplicate of this bug. ***

CC: (none) => saispo

Comment 13 D Morgan 2011-08-21 02:48:05 CEST
so now this is validated ? and OK to push to updates ?
Comment 14 Michael Scherer 2011-08-21 09:23:44 CEST
Well, if this is a security release, what cve are fixed ?
Comment 15 Michael Scherer 2011-08-21 09:33:18 CEST
And it lack a advisory. The CVE are listed on  http://svn.haxx.se/dev/archive-2011-06/0030.shtml

There is no public exploit so far :

http://www.securityfocus.com/bid/48091/exploit
Comment 16 D Morgan 2011-08-25 19:12:48 CEST
so what to do ?
Comment 17 Stew Benedict 2011-08-26 16:43:43 CEST
Umm, OK. Someone could have just copied pasted the advisory text from the bug that got duped out, which was supposed to be one of our first "official" updates but somehow got usurped for this bug:

Several vulnerabilities were discovered in Subversion, the version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2011-1752

   The mod_dav_svn Apache HTTPD server module can be crashed though
   when asked to deliver baselined WebDAV resources.

CVE-2011-1783

   The mod_dav_svn Apache HTTPD server module can trigger a loop which
   consumes all available memory on the system.

CVE-2011-1921

   The mod_dav_svn Apache HTTPD server module may leak to remote users
   the file contents of files configured to be unreadable by those
   users.

CC: (none) => stewbintn

Manuel Hiebel 2011-08-26 22:29:25 CEST

Blocks: (none) => 1700

Comment 18 Samuel Verschelde 2011-09-01 22:59:27 CEST
According to http://www.securityfocus.com/bid/48091/exploit there are no known public exploits, so I validate this update without the need for testing that the security issues really have been fixed.

Next time we will not assign those bugs to security group after QA validation, the policy has been changed accordingly. We should not see such a delay in validation anymore, sorry for this one.

Please push subversion to Core Updates.

Advisory:

Several vulnerabilities were discovered in Subversion, the version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2011-1752

   The mod_dav_svn Apache HTTPD server module can be crashed though
   when asked to deliver baselined WebDAV resources.

CVE-2011-1783

   The mod_dav_svn Apache HTTPD server module can trigger a loop which
   consumes all available memory on the system.

CVE-2011-1921

   The mod_dav_svn Apache HTTPD server module may leak to remote users
   the file contents of files configured to be unreadable by those
   users.

Keywords: (none) => Security, validated_update
CC: (none) => sysadmin-bugs
Assignee: security => qa-bugs

Comment 19 D Morgan 2011-09-02 00:12:59 CEST
update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.