You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa subversion

Sigurnosni nedostatak programskog paketa subversion

——————————————————————————–
Fedora Update Notification
FEDORA-2014-3567
2014-03-07 05:31:59
——————————————————————————–

Name : subversion
Product : Fedora 19
Version : 1.7.16
Release : 1.fc19
URL : http://subversion.apache.org/
Summary : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.

——————————————————————————–
Update Information:

This update includes the latest stable release of Apache Subversion 1.7, fixing a security issue (CVE-2014-0032):

Subversion’s mod_dav_svn Apache HTTPD server module will crash when it receives an OPTIONS request against the server root and Subversion is configured to handle the server root and SVNListParentPath is on.

This can lead to a DoS. There are no known instances of this problem being exploited in the wild, but the details of how to exploit it have been disclosed on the Subversion development mailing list.

For more information, see:

https://subversion.apache.org/security/CVE-2014-0032-advisory.txt

A number of client-side bug fixes are included in this update:

* copy: fix some scenarios that broke the working copy
* diff: fix regressions due to fixes in 1.7.14

One server-side bug fixes is also included:

* reduce memory usage during checkout and export

——————————————————————————–
ChangeLog:

* Mon Mar 3 2014 Joe Orton <jorton@redhat.com> – 1.7.16-1
– update to 1.7.16
* Tue Nov 26 2013 Joe Orton <jorton@redhat.com> – 1.7.14-1
– update to 1.7.14 (#1034377)
* Tue Sep 3 2013 Joe Orton <jorton@redhat.com> – 1.7.13-1
– update to 1.7.13 (#1003070)
– move bash completions out of /etc (#922993)
* Thu Jul 25 2013 Joe Orton <jorton@redhat.com> – 1.7.11-1
– update to 1.7.11
– use full relro in mod_dav_svn build (#973694)
——————————————————————————–
References:

[ 1 ] Bug #1062042 – CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on
https://bugzilla.redhat.com/show_bug.cgi?id=1062042
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update subversion’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-3365
2014-03-04 04:01:24
——————————————————————————–

Name : subversion
Product : Fedora 20
Version : 1.8.8
Release : 1.fc20
URL : http://subversion.apache.org/
Summary : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.

——————————————————————————–
Update Information:

This update includes the latest stable release of Subversion, fixing a security issue (CVE-2014-0032):

Subversion’s mod_dav_svn Apache HTTPD server module will crash when it receives an OPTIONS request against the server root and Subversion is configured to handle the server root and SVNListParentPath is on.

This can lead to a DoS. There are no known instances of this problem being exploited in the wild, but the details of how to exploit it have been disclosed on the Subversion development mailing list.

For more information, see:

https://subversion.apache.org/security/CVE-2014-0032-advisory.txt

A number of client-side bug fixes are included in this update:

* fix automatic relocate for wcs not at repository root
* wc: improve performance when used with SQLite 3.8
* copy: fix some scenarios that broke the working copy
* move: fix errors when moving files between an external and the parent working copy
* log: resolve performance regression in certain scenarios
* merge: decrease work to detect differences between 3 files
* commit: don’t change file permissions inappropriately
* commit: fix assertion due to invalid pool lifetime
* version: don’t cut off the distribution version on Linux
* flush stdout before exiting to avoid information being lost
* status: fix missing sentinel value on warning codes
* update/switch: improve some WC db queries that may return incorrect results depending on how SQLite is built

Server-side bugfixes:

* reduce memory usage during checkout and export
* fsfs: create rep-cache.db with proper permissions
* mod_dav_svn: prevent crashes with SVNListParentPath on (CVE-2014-0032)
* mod_dav_svn: fix SVNAllowBulkUpdates directive merging
* mod_dav_svn: include requested property changes in reports
* svnserve: correct default cache size in help text
* svnadmin dump: reduce size of dump files with ‘–deltas’
* resolve integer underflow that resulted in infinite loops

——————————————————————————–
ChangeLog:

* Fri Feb 28 2014 Joe Orton <jorton@redhat.com> – 1.8.8-1
– update to 1.8.8
* Thu Jan 23 2014 Joe Orton <jorton@redhat.com> – 1.8.5-4
– fix _httpd_mmn expansion in absence of httpd-devel
* Mon Jan 6 2014 Joe Orton <jorton@redhat.com> – 1.8.5-3
– fix permissions of /run/svnserve (#1048422)
* Tue Dec 10 2013 Joe Orton <jorton@redhat.com> – 1.8.5-2
– don’t drop -Wall when building swig Perl bindings (#1037341)
* Tue Nov 26 2013 Joe Orton <jorton@redhat.com> – 1.8.5-1
– update to 1.8.5 (#1034130)
– add fix for wc-queries-test breakage (h/t Andreas Stieger, r1542774)
* Mon Nov 18 2013 Joe Orton <jorton@redhat.com> – 1.8.4-2
– add fix for ppc breakage (Andreas Stieger, #985582)
* Tue Oct 29 2013 Joe Orton <jorton@redhat.com> – 1.8.4-1
– update to 1.8.4
——————————————————————————–
References:

[ 1 ] Bug #1062042 – CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on
https://bugzilla.redhat.com/show_bug.cgi?id=1062042
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update subversion’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa php

Otkriveni su sigurnosni nedostaci u programskom paketu php za operacijski sustav Mandriva. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...

Close