drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Subversion
Name: |
Mehrere Probleme in Subversion |
|
ID: |
FEDORA-2013-13672 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 18 |
|
Datum: |
Do, 15. August 2013, 08:50 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4131 |
|
Applikationen: |
Subversion |
|
Originalnachricht |
Name : subversion Product : Fedora 18 Version : 1.7.11 Release : 1.fc18.1 URL : http://subversion.apache.org/ Summary : A Modern Concurrent Version Control System Description : Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Subversion only stores the differences between versions, instead of every complete file. Subversion is intended to be a compelling replacement for CVS.
------------------------------------------------------------------------------- - Update Information:
This update includes the latest release of Apache Subversion 1.7, version 1.7.11. Several security vulnerabilities are fixed in this update:
Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion on some requests made against a revision root. This can lead to a DoS. If assertions are disabled it will trigger a read overflow which may cause a segmentation fault or undefined behavior. Commit access is required to exploit this.
(CVE-2013-4131)
If a filename which contains a newline character (ASCII 0x0a) is
committed to a repository using the FSFS format, the resulting
revision is corrupt. This can lead to disruption for users of the repository. (CVE-2013-1968)
Subversion's contrib/ directory contains two example hook scripts, which use 'svnlook changed' to examine a revision or transaction and then pass those paths as arguments to further 'svnlook' commands, without properly escaping the command-line. (CVE-2013-2088)
Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. This can lead to disruption for users of the server. (CVE-2013-2112)
The following client-side bugs were fixed in the 1.7.10 release:
* fix 'svn revert' "no such table: revert_list" spurious error
* fix 'svn diff' doesn't show some locally added files
* fix changelist filtering when --changelist values aren't UTF8
* fix 'svn diff --git' shows wrong copyfrom
* fix 'svn diff -x-w' shows wrong changes
* fix 'svn blame' sometimes shows every line as modified
* fix regression in 'svn status -u' output for externals
* fix file permissions change on commit of file with keywords
* improve some fatal error messages
* fix externals not removed when working copy is made shallow
The following server-side bugs are fixed:
* fix repository corruption due to newline in filename
* fix svnserve exiting when a client connection is aborted
* fix svnserve memory use after clear
------------------------------------------------------------------------------- - ChangeLog:
* Thu Jul 25 2013 Joe Orton <jorton@redhat.com> - 1.7.11-1.1 - use full RELRO for mod_*.so (#973694) * Thu Jul 25 2013 Joe Orton <jorton@redhat.com> - 1.7.11-1 - update to 1.7.11 * Mon Jun 3 2013 Joe Orton <jorton@redhat.com> - 1.7.10-1 - update to 1.7.10 (#970014) - fix aarch64 build issues (Dennis Gilmore, #926578) * Tue Apr 9 2013 Joe Orton <jorton@redhat.com> - 1.7.9-1 - update to 1.7.9 (#948813) * Tue Jan 8 2013 Joe Orton <jorton@redhat.com> - 1.7.8-3 - update to latest psvn.el * Tue Jan 8 2013 Lukáš Nykrýn <lnykryn@redhat.com> - 1.7.8-2 - Scriptlets replaced with new systemd macros (#850410) * Fri Jan 4 2013 Joe Orton <jorton@redhat.com> - 1.7.8-1 - update to 1.7.8 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #986194 - CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requests https://bugzilla.redhat.com/show_bug.cgi?id=986194 [ 2 ] Bug #970014 - CVE-2013-1968 subversion (FSFS format): Filenames with newline character can lead to revision corruption https://bugzilla.redhat.com/show_bug.cgi?id=970014 [ 3 ] Bug #970027 - CVE-2013-2088 subversion: Improper sanitization of arguments of certain hook scripts might lead to arbitrary code execution https://bugzilla.redhat.com/show_bug.cgi?id=970027 [ 4 ] Bug #970037 - CVE-2013-2112 subversion: Remote DoS due improper handling of early-closing TCP connections https://bugzilla.redhat.com/show_bug.cgi?id=970037 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update subversion' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|