Bug 28348 - subversion new security issue CVE-2020-17525
Summary: subversion new security issue CVE-2020-17525
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-11 13:54 CET by Stig-Ørjan Smelror
Modified: 2021-02-26 16:39 CET (History)
2 users (show)

See Also:
Source RPM: subversion-1.10.6-1.mga7.src.rpm
CVE: CVE-2020-17525
Status comment:


Attachments

Description Stig-Ørjan Smelror 2021-02-11 13:54:21 CET
Upstream has issued updates that fixes CVE-2020-17525.

https://lists.apache.org/list.html?announce@subversion.apache.org

Fixed in 1.10.7 and 1.14.1
Stig-Ørjan Smelror 2021-02-11 13:55:33 CET

CVE: (none) => CVE-2020-17525

Comment 1 Stig-Ørjan Smelror 2021-02-11 14:23:22 CET
Advisory
========

Subversion has been updated to fix a remote unauthenticated denial-of-service in Subversion mod_authz_svn.

References
==========
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

Files
=====

Uploaded to core/updates_testing

subversion-1.10.7-1.mga7
subversion-doc-1.10.7-1.mga7
lib64svn0-1.10.7-1.mga7
lib64svn-gnome-keyring0-1.10.7-1.mga7
subversion-server-1.10.7-1.mga7
subversion-tools-1.10.7-1.mga7
python2-svn-1.10.7-1.mga7
ruby-svn-1.10.7-1.mga7
lib64svnjavahl1-1.10.7-1.mga7
svn-javahl-1.10.7-1.mga7
perl-SVN-1.10.7-1.mga7
subversion-gnome-keyring-devel-1.10.7-1.mga7
perl-svn-devel-1.10.7-1.mga7
python2-svn-devel-1.10.7-1.mga7
ruby-svn-devel-1.10.7-1.mga7
subversion-devel-1.10.7-1.mga7
apache-mod_dav_svn-1.10.7-1.mga7

from subversion-1.10.7-1.mga7.src.rpm

Assignee: smelror => qa-bugs

Comment 2 David Walser 2021-02-11 15:08:36 CET
1.14.1 needs to be pushed in mga8.

Whiteboard: (none) => MGA7TOO, MGA8TOO
Version: 7 => Cauldron
Assignee: qa-bugs => smelror

Comment 3 Stig-Ørjan Smelror 2021-02-11 15:12:35 CET
I've sent a Freeze push request to @dev.
Comment 4 David Walser 2021-02-20 19:22:19 CET
RedHat has issued an advisory for this on February 15:
https://access.redhat.com/errata/RHSA-2021:0507

Summary: Subversion security issue CVE-2020-17525 => subversion new security issue CVE-2020-17525
Status comment: (none) => Fixed upstream in 1.10.7 and 1.14.1
Severity: normal => critical

Comment 5 Stig-Ørjan Smelror 2021-02-20 19:28:25 CET
Fixed in Cauldron and awaiting validation for mga7.

Assignee: smelror => qa-bugs
Whiteboard: MGA7TOO, MGA8TOO => (none)

David Walser 2021-02-20 19:33:16 CET

Status comment: Fixed upstream in 1.10.7 and 1.14.1 => (none)
Version: Cauldron => 7

Comment 6 Herman Viaene 2021-02-22 16:08:12 CET
MGA7-64 MATE on PeaqC1011
No installation issues
Following Dave's lead fom bug 10895, I run into problems:
$ cd Documents/
$ svnadmin create --fs-type fsfs /home/tester7/Documents/svn
$ mkdir project
$ cd project/
$ mkdir bin
$ mkdir src
$  mkdir doc
$ echo test>doc/index.html
$ echo stuff>src/Makefile
$ svn import /home/tester7/Documents/project/ file:///home/tester7/Documents/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found

I cann't imagine I would have to set these manually????

CC: (none) => herman.viaene

Comment 7 Aurelien Oudelet 2021-02-22 16:12:52 CET
It seems that no one of SVN_EDITOR, VISUAL or EDITOR variables have been set for this user account.
These are not set by default.
So, I think you must set them beforehand.

CC: (none) => ouaurelien

Comment 8 Herman Viaene 2021-02-22 16:53:05 CET
Well, I've not seen these noticed on the previous updates. I'm pretty sure i would have noted it when such thing was needed, and I trust Dave would have done the same.
I noticed that - comparing the notes with the actual config files in /etc, that there are some changs to the subversion configs.
But anyway, in the years I have been testing updates before, I've never came across this situation. And I don't like it a bit.
Comment 9 David Walser 2021-02-22 18:47:43 CET
svn has always done that
Comment 10 David Walser 2021-02-26 16:39:44 CET
Debian has issued an advisory for this on February 13:
https://www.debian.org/security/2021/dsa-4851

Note You need to log in before you can comment on or make changes to this bug.