Bug 25230 - subversion new security issues CVE-2018-11782 and CVE-2019-0203
Summary: subversion new security issues CVE-2018-11782 and CVE-2019-0203
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-06 12:55 CEST by David Walser
Modified: 2019-08-12 09:32 CEST (History)
3 users (show)

See Also:
Source RPM: subversion-1.10.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-06 12:55:38 CEST
Apache has issued advisories on July 31:
http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

The issues are fixed upstream in 1.9.12 and 1.10.6:
https://lists.apache.org/list.html?announce@subversion.apache.org

Mageia 6 is also affected.
David Walser 2019-08-06 12:55:48 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-08-06 18:59:44 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

CC: (none) => geiger.david68210, marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-08-12 01:39:45 CEST
Ubuntu and Debian have issued advisories for this on July 31 and August 1:
https://usn.ubuntu.com/4082-1/
https://www.debian.org/security/2019/dsa-4490

Severity: normal => major

Comment 3 Stig-Ørjan Smelror 2019-08-12 09:29:02 CEST
Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

perl-SVN-1.9.12-1.mga6
perl-svn-devel-1.9.12-1.mga6
python-svn-1.9.12-1.mga6
python-svn-devel-1.9.12-1.mga6
ruby-svn-1.9.12-1.mga6
ruby-svn-devel-1.9.12-1.mga6
subversion-1.9.12-1.mga6
subversion-debuginfo-1.9.12-1.mga6
subversion-devel-1.9.12-1.mga6
subversion-doc-1.9.12-1.mga6
subversion-gnome-keyring-devel-1.9.12-1.mga6
subversion-server-1.9.12-1.mga6
subversion-tools-1.9.12-1.mga6
svn-javahl-1.9.12-1.mga6

from subversion-1.9.12-1.mga6.src.rpm
Comment 4 Stig-Ørjan Smelror 2019-08-12 09:32:34 CEST
Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

apache-mod_dav_svn-1.10.6-1.mga7
lib64svn-gnome-keyring0-1.10.6-1.mga7
lib64svn0-1.10.6-1.mga7
lib64svnjavahl1-1.10.6-1.mga7
perl-SVN-1.10.6-1.mga7
perl-svn-devel-1.10.6-1.mga7
python2-svn-1.10.6-1.mga7
python2-svn-devel-1.10.6-1.mga7
ruby-svn-1.10.6-1.mga7
ruby-svn-devel-1.10.6-1.mga7
subversion-1.10.6-1.mga7
subversion-devel-1.10.6-1.mga7
subversion-doc-1.10.6-1.mga7
subversion-gnome-keyring-devel-1.10.6-1.mga7
subversion-server-1.10.6-1.mga7
subversion-tools-1.10.6-1.mga7
svn-javahl-1.10.6-1.mga7

from subversion-1.10.6-1.mga7.src.rpm
Stig-Ørjan Smelror 2019-08-12 09:32:45 CEST

Assignee: pkg-bugs => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.