Apache has issued advisories on April 12: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt The issues are fixed upstream in 1.14.2: https://www.openwall.com/lists/oss-security/2022/04/12/2 Mageia 8 is also affected.
Source RPM: (none) => subversion-1.14.1-1.1.mga8.src.rpmWhiteboard: (none) => MGA8TOOCC: (none) => nicolas.salgueroAssignee: bugsquad => nicolas.salgueroCVE: (none) => CVE-2021-28544, CVE-2022-24070
Suggested advisory: ======================== The updated packages fix security vulnerabilities: SVN authz protected copyfrom paths regression. (CVE-2021-28544) Subversion's mod_dav_svn is vulnerable to memory corruption. (CVE-2022-24070) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24070 https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt https://www.openwall.com/lists/oss-security/2022/04/12/2 ======================== Updated packages in core/updates_testing: ======================== apache-mod_dav_svn-1.14.2-1.mga8 lib(64)svn0-1.14.2-1.mga8 lib(64)svnjavahl1-1.14.2-1.mga8 lib(64)svn-gnome-keyring0-1.14.2-1.mga8 lib(64)svn-kwallet0-1.14.2-1.mga8 perl-SVN-1.14.2-1.mga8 python3-svn-1.14.2-1.mga8 subversion-server-1.14.2-1.mga8 subversion-tools-1.14.2-1.mga8 subversion-devel-1.14.2-1.mga8 subversion-1.14.2-1.mga8 subversion-doc-1.14.2-1.mga8 svn-javahl-1.14.2-1.mga8 from SRPM: subversion-1.14.2-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Advisory committed to svn using the new version. Validating the update.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Ubuntu has issued an advisory for this today (April 12): https://ubuntu.com/security/notices/USN-5372-1
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0140.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED