Description of problem: Mandriva 2010.2 is offering subversion 1.6.17, as a update since 4th june. This break the upgrade path to Mageia, since we have only 1.6.16.
this package is now on updates_testing
CC: (none) => dmorganecAssignee: bugsquad => qa-bugs
CC: (none) => stormiSummary: upgrade path from 2010.2 broken => update candidate : subversion 1.6.17, for better upgrade from 2010.2
1.6.17 is a bugfixes only release, with 3 CVE fixed.
The package works well, no regression spotted so far, on i586.
ok in x86_64.
Keywords: (none) => validated_updateCC: (none) => lists.jjorge
Why 0.1 as a release ?
should have been 1.1 but i used %mkrel 0 and subrel 1 because i misused subrel ( was my first rpm using it ) but i don't think this is a real pb. is it ?
It is : subversion-1.6.17-0.1mdv2010.2.i586.rpm > subversion-1.6.17-0.1.mga1.i586.rpm IINM (because of the dot before mga1) So we need a higher release. Increasing subrel is not enough here because it can be increased too in mdv, so better increase release to make sure there are no problems (unless they do another version upgrade of course)
Actually, ATM the mga package is higher than the mdv one: $ rpmdev-vercmp 1.6.17-0.1mdv2010.2.i586 1.6.17-0.1.mga1.i586 1.6.17-0.1mdv2010.2.i586 < 1.6.17-0.1.mga1.i586 but to make it work with future mdv updates to 2010.2, better to increase the rel; right now it's subversion-1.6.17-2.mga2 in cauldron so a 1.x.mga1 should still be upgradable.
(In reply to comment #8) > Actually, ATM the mga package is higher than the mdv one: > $ rpmdev-vercmp 1.6.17-0.1mdv2010.2.i586 1.6.17-0.1.mga1.i586 > 1.6.17-0.1mdv2010.2.i586 < 1.6.17-0.1.mga1.i586 > I knew my "IINM" was not useless :) Thanks for the rectification.
Un-validating until release is fixed.
Keywords: validated_update => (none)
release set to 1 according to policy. Assigning to security team as it's a security update.
CC: (none) => qa-bugsAssignee: qa-bugs => security
*** Bug 1521 has been marked as a duplicate of this bug. ***
CC: (none) => saispo
so now this is validated ? and OK to push to updates ?
Well, if this is a security release, what cve are fixed ?
And it lack a advisory. The CVE are listed on http://svn.haxx.se/dev/archive-2011-06/0030.shtml There is no public exploit so far : http://www.securityfocus.com/bid/48091/exploit
so what to do ?
Umm, OK. Someone could have just copied pasted the advisory text from the bug that got duped out, which was supposed to be one of our first "official" updates but somehow got usurped for this bug: Several vulnerabilities were discovered in Subversion, the version control system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-1752 The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources. CVE-2011-1783 The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system. CVE-2011-1921 The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.
CC: (none) => stewbintn
Blocks: (none) => 1700
According to http://www.securityfocus.com/bid/48091/exploit there are no known public exploits, so I validate this update without the need for testing that the security issues really have been fixed. Next time we will not assign those bugs to security group after QA validation, the policy has been changed accordingly. We should not see such a delay in validation anymore, sorry for this one. Please push subversion to Core Updates. Advisory: Several vulnerabilities were discovered in Subversion, the version control system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-1752 The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources. CVE-2011-1783 The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system. CVE-2011-1921 The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.
Keywords: (none) => Security, validated_updateCC: (none) => sysadmin-bugsAssignee: security => qa-bugs
update pushed.
Status: NEW => RESOLVEDResolution: (none) => FIXED