30274 – subversion new security issues CVE-2021-28544 and CVE-2022-24070

Bug 30274 - subversion new security issues CVE-2021-28544 and CVE-2022-24070

Summary: subversion new security issues CVE-2021-28544 and CVE-2022-24070

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-04-12 16:01 CEST by Nicolas Salguero
Modified:	2022-04-13 18:07 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	subversion-1.14.1-1.1.mga8.src.rpm
CVE:	CVE-2021-28544, CVE-2022-24070
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2022-04-12 16:01:42 CEST

Apache has issued advisories on April 12:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt

The issues are fixed upstream in 1.14.2:
https://www.openwall.com/lists/oss-security/2022/04/12/2

Mageia 8 is also affected.

Nicolas Salguero 2022-04-12 16:02:57 CEST

Source RPM: (none) => subversion-1.14.1-1.1.mga8.src.rpm
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2021-28544, CVE-2022-24070

Comment 1 Nicolas Salguero 2022-04-12 16:32:03 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

SVN authz protected copyfrom paths regression. (CVE-2021-28544)

Subversion's mod_dav_svn is vulnerable to memory corruption. (CVE-2022-24070)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24070
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://www.openwall.com/lists/oss-security/2022/04/12/2
========================

Updated packages in core/updates_testing:
========================
apache-mod_dav_svn-1.14.2-1.mga8
lib(64)svn0-1.14.2-1.mga8
lib(64)svnjavahl1-1.14.2-1.mga8
lib(64)svn-gnome-keyring0-1.14.2-1.mga8
lib(64)svn-kwallet0-1.14.2-1.mga8
perl-SVN-1.14.2-1.mga8
python3-svn-1.14.2-1.mga8
subversion-server-1.14.2-1.mga8
subversion-tools-1.14.2-1.mga8
subversion-devel-1.14.2-1.mga8
subversion-1.14.2-1.mga8
subversion-doc-1.14.2-1.mga8
svn-javahl-1.14.2-1.mga8

from SRPM:
subversion-1.14.2-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 Dave Hodgins 2022-04-12 20:33:19 CEST

Advisory committed to svn using the new version. Validating the update.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 David Walser 2022-04-12 22:52:38 CEST

Ubuntu has issued an advisory for this today (April 12):
https://ubuntu.com/security/notices/USN-5372-1

Comment 4 Mageia Robot 2022-04-13 18:07:19 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0140.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.