Upstream has issued updates that fixes CVE-2020-17525. https://lists.apache.org/list.html?announce@subversion.apache.org Fixed in 1.10.7 and 1.14.1
CVE: (none) => CVE-2020-17525
Advisory ======== Subversion has been updated to fix a remote unauthenticated denial-of-service in Subversion mod_authz_svn. References ========== https://subversion.apache.org/security/CVE-2020-17525-advisory.txt Files ===== Uploaded to core/updates_testing subversion-1.10.7-1.mga7 subversion-doc-1.10.7-1.mga7 lib64svn0-1.10.7-1.mga7 lib64svn-gnome-keyring0-1.10.7-1.mga7 subversion-server-1.10.7-1.mga7 subversion-tools-1.10.7-1.mga7 python2-svn-1.10.7-1.mga7 ruby-svn-1.10.7-1.mga7 lib64svnjavahl1-1.10.7-1.mga7 svn-javahl-1.10.7-1.mga7 perl-SVN-1.10.7-1.mga7 subversion-gnome-keyring-devel-1.10.7-1.mga7 perl-svn-devel-1.10.7-1.mga7 python2-svn-devel-1.10.7-1.mga7 ruby-svn-devel-1.10.7-1.mga7 subversion-devel-1.10.7-1.mga7 apache-mod_dav_svn-1.10.7-1.mga7 from subversion-1.10.7-1.mga7.src.rpm
Assignee: smelror => qa-bugs
1.14.1 needs to be pushed in mga8.
Whiteboard: (none) => MGA7TOO, MGA8TOOVersion: 7 => CauldronAssignee: qa-bugs => smelror
I've sent a Freeze push request to @dev.
RedHat has issued an advisory for this on February 15: https://access.redhat.com/errata/RHSA-2021:0507
Summary: Subversion security issue CVE-2020-17525 => subversion new security issue CVE-2020-17525Severity: normal => criticalStatus comment: (none) => Fixed upstream in 1.10.7 and 1.14.1
Fixed in Cauldron and awaiting validation for mga7.
Whiteboard: MGA7TOO, MGA8TOO => (none)Assignee: smelror => qa-bugs
Version: Cauldron => 7Status comment: Fixed upstream in 1.10.7 and 1.14.1 => (none)
MGA7-64 MATE on PeaqC1011 No installation issues Following Dave's lead fom bug 10895, I run into problems: $ cd Documents/ $ svnadmin create --fs-type fsfs /home/tester7/Documents/svn $ mkdir project $ cd project/ $ mkdir bin $ mkdir src $ mkdir doc $ echo test>doc/index.html $ echo stuff>src/Makefile $ svn import /home/tester7/Documents/project/ file:///home/tester7/Documents/svn/project svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found I cann't imagine I would have to set these manually????
CC: (none) => herman.viaene
It seems that no one of SVN_EDITOR, VISUAL or EDITOR variables have been set for this user account. These are not set by default. So, I think you must set them beforehand.
CC: (none) => ouaurelien
Well, I've not seen these noticed on the previous updates. I'm pretty sure i would have noted it when such thing was needed, and I trust Dave would have done the same. I noticed that - comparing the notes with the actual config files in /etc, that there are some changs to the subversion configs. But anyway, in the years I have been testing updates before, I've never came across this situation. And I don't like it a bit.
svn has always done that
Debian has issued an advisory for this on February 13: https://www.debian.org/security/2021/dsa-4851
I've long had ... $ env|grep EDIT EDITOR=/usr/bin/mcedit for reasons other then svn, so hadn't noticed that it was needed. Tested by adding/committing the advisory to svn for this bug report ... [dave@x3 advisories]$ mgaadv new security 28348 subversion [dave@x3 advisories]$ svn add 28348.adv A 28348.adv [dave@x3 advisories]$ svn ci -m 'Adding security advisory for subversion mga#28348' Adding 28348.adv Transmitting file data .done Committing transaction... Committed revision 11385. Mageia 7 x86_64 ok, validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0091.html
Status: NEW => RESOLVEDResolution: (none) => FIXED