Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Subversion
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Subversion
ID: FEDORA-2013-13672
Distribution: Fedora
Plattformen: Fedora 18
Datum: Do, 15. August 2013, 08:50
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4131
Applikationen: Subversion

Originalnachricht

 
Name        : subversion
Product     : Fedora 18
Version     : 1.7.11
Release     : 1.fc18.1
URL         : http://subversion.apache.org/
Summary     : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes.  Subversion only stores the differences between versions,
instead of every complete file.  Subversion is intended to be a
compelling replacement for CVS.

-------------------------------------------------------------------------------
-
Update Information:

This update includes the latest release of Apache Subversion 1.7, version
 1.7.11.  Several security vulnerabilities are fixed in this update:



Subversion's mod_dav_svn Apache HTTPD server module will trigger an
 assertion on some requests made against a revision root.  This can lead to a DoS.  If assertions are disabled it will trigger a read overflow which may cause a segmentation fault or undefined behavior.  Commit access is required to exploit this.

(CVE-2013-4131)



If a filename which contains a newline character (ASCII 0x0a) is

committed to a repository using the FSFS format, the resulting

revision is corrupt.  This can lead to disruption for users of the repository. 
 (CVE-2013-1968)



Subversion's contrib/ directory contains two example hook scripts, which
 use 'svnlook changed' to examine a revision or transaction and then pass those paths as arguments to further 'svnlook' commands, without properly escaping the command-line.  (CVE-2013-2088)



Subversion's svnserve server process may exit when an incoming TCP
 connection is closed early in the connection process.  This can lead to disruption for users of the server.  (CVE-2013-2112)



The following client-side bugs were fixed in the 1.7.10 release:



* fix 'svn revert' "no such table: revert_list" spurious error

* fix 'svn diff' doesn't show some locally added files

* fix changelist filtering when --changelist values aren't UTF8

* fix 'svn diff --git' shows wrong copyfrom

* fix 'svn diff -x-w' shows wrong changes

* fix 'svn blame' sometimes shows every line as modified

* fix regression in 'svn status -u' output for externals

* fix file permissions change on commit of file with keywords

* improve some fatal error messages

* fix externals not removed when working copy is made shallow



The following server-side bugs are fixed:



* fix repository corruption due to newline in filename

* fix svnserve exiting when a client connection is aborted

* fix svnserve memory use after clear


-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Jul 25 2013 Joe Orton <jorton@redhat.com> - 1.7.11-1.1
- use full RELRO for mod_*.so (#973694)
* Thu Jul 25 2013 Joe Orton <jorton@redhat.com> - 1.7.11-1
- update to 1.7.11
* Mon Jun  3 2013 Joe Orton <jorton@redhat.com> - 1.7.10-1
- update to 1.7.10 (#970014)
- fix aarch64 build issues (Dennis Gilmore, #926578)
* Tue Apr  9 2013 Joe Orton <jorton@redhat.com> - 1.7.9-1
- update to 1.7.9 (#948813)
* Tue Jan  8 2013 Joe Orton <jorton@redhat.com> - 1.7.8-3
- update to latest psvn.el
* Tue Jan  8 2013 Lukáš Nykrýn <lnykryn@redhat.com> - 1.7.8-2
- Scriptlets replaced with new systemd macros (#850410)
* Fri Jan  4 2013 Joe Orton <jorton@redhat.com> - 1.7.8-1
- update to 1.7.8
-------------------------------------------------------------------------------
-
References:

  [ 1 ] Bug #986194 - CVE-2013-4131 subversion: DoS (assertion failure, crash)
 in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requests
        https://bugzilla.redhat.com/show_bug.cgi?id=986194
  [ 2 ] Bug #970014 - CVE-2013-1968 subversion (FSFS format): Filenames with
 newline character can lead to revision corruption
        https://bugzilla.redhat.com/show_bug.cgi?id=970014
  [ 3 ] Bug #970027 - CVE-2013-2088 subversion: Improper sanitization of
 arguments of certain hook scripts might lead to arbitrary code execution
        https://bugzilla.redhat.com/show_bug.cgi?id=970027
  [ 4 ] Bug #970037 - CVE-2013-2112 subversion: Remote DoS due improper
 handling of early-closing TCP connections
        https://bugzilla.redhat.com/show_bug.cgi?id=970037
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program.  Use 
su -c 'yum update subversion' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung