Apache has issued advisories on July 31: http://subversion.apache.org/security/CVE-2018-11782-advisory.txt http://subversion.apache.org/security/CVE-2019-0203-advisory.txt The issues are fixed upstream in 1.9.12 and 1.10.6: https://lists.apache.org/list.html?announce@subversion.apache.org Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, smelror
Ubuntu and Debian have issued advisories for this on July 31 and August 1: https://usn.ubuntu.com/4082-1/ https://www.debian.org/security/2019/dsa-4490
Severity: normal => major
Advisory ======== This update fixes to security issues. CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. References ========== http://subversion.apache.org/security/CVE-2018-11782-advisory.txt http://subversion.apache.org/security/CVE-2019-0203-advisory.txt Files ===== Uploaded to core/updates_testing perl-SVN-1.9.12-1.mga6 perl-svn-devel-1.9.12-1.mga6 python-svn-1.9.12-1.mga6 python-svn-devel-1.9.12-1.mga6 ruby-svn-1.9.12-1.mga6 ruby-svn-devel-1.9.12-1.mga6 subversion-1.9.12-1.mga6 subversion-debuginfo-1.9.12-1.mga6 subversion-devel-1.9.12-1.mga6 subversion-doc-1.9.12-1.mga6 subversion-gnome-keyring-devel-1.9.12-1.mga6 subversion-server-1.9.12-1.mga6 subversion-tools-1.9.12-1.mga6 svn-javahl-1.9.12-1.mga6 from subversion-1.9.12-1.mga6.src.rpm
Advisory ======== This update fixes to security issues. CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. References ========== http://subversion.apache.org/security/CVE-2018-11782-advisory.txt http://subversion.apache.org/security/CVE-2019-0203-advisory.txt Files ===== Uploaded to core/updates_testing apache-mod_dav_svn-1.10.6-1.mga7 lib64svn-gnome-keyring0-1.10.6-1.mga7 lib64svn0-1.10.6-1.mga7 lib64svnjavahl1-1.10.6-1.mga7 perl-SVN-1.10.6-1.mga7 perl-svn-devel-1.10.6-1.mga7 python2-svn-1.10.6-1.mga7 python2-svn-devel-1.10.6-1.mga7 ruby-svn-1.10.6-1.mga7 ruby-svn-devel-1.10.6-1.mga7 subversion-1.10.6-1.mga7 subversion-devel-1.10.6-1.mga7 subversion-doc-1.10.6-1.mga7 subversion-gnome-keyring-devel-1.10.6-1.mga7 subversion-server-1.10.6-1.mga7 subversion-tools-1.10.6-1.mga7 svn-javahl-1.10.6-1.mga7 from subversion-1.10.6-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Installed and tested without issues. Tested on existing, new, local and remote repositories. Tested svnadmin's create, info, verify, lock, unlock. Tested svn checkout, status, log, add, ls, mv, rm, commit, update, mkdir, info, cp. Tested with normal work usage for several days. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep 1.10.6-1 | sort lib64svn0-1.10.6-1.mga7 subversion-1.10.6-1.mga7 subversion-tools-1.10.6-1.mga7
CC: (none) => mageiaWhiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
MGA6-64 Plasma on Lenovo B50 No installation issues Follwwing test described in bug10895 Comment 4 and config settings in bug14826 Comment 6 7 and 8 Test completed exactly as described.
CC: (none) => herman.viaeneWhiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
Thanks, guys. Validating. Advisory in Comment 3 and Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
@Stig-Ørjan: you dont need to write 2 advisories when the only difference is the srpms
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED