Bug 25230 - subversion new security issues CVE-2018-11782 and CVE-2019-0203
Summary: subversion new security issues CVE-2018-11782 and CVE-2019-0203
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-06 12:55 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
8 users (show)

See Also:
Source RPM: subversion-1.10.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-06 12:55:38 CEST
Apache has issued advisories on July 31:
http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

The issues are fixed upstream in 1.9.12 and 1.10.6:
https://lists.apache.org/list.html?announce@subversion.apache.org

Mageia 6 is also affected.
David Walser 2019-08-06 12:55:48 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-08-06 18:59:44 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, smelror

Comment 2 David Walser 2019-08-12 01:39:45 CEST
Ubuntu and Debian have issued advisories for this on July 31 and August 1:
https://usn.ubuntu.com/4082-1/
https://www.debian.org/security/2019/dsa-4490

Severity: normal => major

Comment 3 Stig-Ørjan Smelror 2019-08-12 09:29:02 CEST
Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

perl-SVN-1.9.12-1.mga6
perl-svn-devel-1.9.12-1.mga6
python-svn-1.9.12-1.mga6
python-svn-devel-1.9.12-1.mga6
ruby-svn-1.9.12-1.mga6
ruby-svn-devel-1.9.12-1.mga6
subversion-1.9.12-1.mga6
subversion-debuginfo-1.9.12-1.mga6
subversion-devel-1.9.12-1.mga6
subversion-doc-1.9.12-1.mga6
subversion-gnome-keyring-devel-1.9.12-1.mga6
subversion-server-1.9.12-1.mga6
subversion-tools-1.9.12-1.mga6
svn-javahl-1.9.12-1.mga6

from subversion-1.9.12-1.mga6.src.rpm
Comment 4 Stig-Ørjan Smelror 2019-08-12 09:32:34 CEST
Advisory
========

This update fixes to security issues.

CVE-2018-11782: Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.
CVE-2019-0203: Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

References
==========

http://subversion.apache.org/security/CVE-2018-11782-advisory.txt
http://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Files
=====

Uploaded to core/updates_testing

apache-mod_dav_svn-1.10.6-1.mga7
lib64svn-gnome-keyring0-1.10.6-1.mga7
lib64svn0-1.10.6-1.mga7
lib64svnjavahl1-1.10.6-1.mga7
perl-SVN-1.10.6-1.mga7
perl-svn-devel-1.10.6-1.mga7
python2-svn-1.10.6-1.mga7
python2-svn-devel-1.10.6-1.mga7
ruby-svn-1.10.6-1.mga7
ruby-svn-devel-1.10.6-1.mga7
subversion-1.10.6-1.mga7
subversion-devel-1.10.6-1.mga7
subversion-doc-1.10.6-1.mga7
subversion-gnome-keyring-devel-1.10.6-1.mga7
subversion-server-1.10.6-1.mga7
subversion-tools-1.10.6-1.mga7
svn-javahl-1.10.6-1.mga7

from subversion-1.10.6-1.mga7.src.rpm
Stig-Ørjan Smelror 2019-08-12 09:32:45 CEST

Assignee: pkg-bugs => qa-bugs

Comment 5 PC LX 2019-08-31 20:43:07 CEST
Installed and tested without issues.

Tested on existing, new, local and remote repositories.
Tested svnadmin's create, info, verify, lock, unlock.
Tested svn checkout, status, log, add, ls, mv, rm, commit, update, mkdir, info, cp.
Tested with normal work usage for several days.

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep 1.10.6-1 | sort
lib64svn0-1.10.6-1.mga7
subversion-1.10.6-1.mga7
subversion-tools-1.10.6-1.mga7

CC: (none) => mageia
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 6 Herman Viaene 2019-09-03 11:34:48 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues
Follwwing test described in bug10895 Comment 4 and config settings in bug14826 Comment 6 7 and 8
Test completed exactly as described.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

Comment 7 Thomas Andrews 2019-09-05 04:10:31 CEST
Thanks, guys. Validating. Advisory in Comment 3 and Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Thomas Backlund 2019-09-06 18:06:41 CEST
@Stig-Ørjan: you dont need to write 2 advisories when the only difference is the srpms

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2019-09-06 23:11:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.