Bug 850747 - Apache Subversion 1.8.5 and 1.7.14 maintenance releases
Apache Subversion 1.8.5 and 1.7.14 maintenance releases
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE 13.1
Classification: openSUSE
Component: Maintenance
Final
All openSUSE 13.1
: P3 - Medium : Normal (vote)
: ---
Assigned To: Andreas Stieger
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-15 21:45 UTC by Andreas Stieger
Modified: 2013-12-31 19:12 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2013-11-15 21:45:59 UTC
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0

From https://svn.apache.org/repos/asf/subversion/tags/1.8.5/CHANGES

Version 1.8.5
(25 November 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.5

 User-visible changes:
  - Client-side bugfixes:
    * fix externals that point at redirected locations (issues #4428, #4429)
    * diff: fix assertion with move inside a copy (issue #4444)

  - Server-side bugfixes:
    * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al)
    * mod_dav_svn: canonicalize paths properly (r1542071)
    * mod_authz_svn: fix crash of mod_authz_svn with invalid config (r1541432)
    * hotcopy: fix hotcopy losing revprop files in packed repos (issue #4448)
 
  - Other tool improvements and bugfixes:
    * mod_dontdothat: Fix the uri parser (r1542069 et al)

 Developer-visible changes:
  - General:
    * fix compilation with '--enable-optimize' with clang (r1534860)
    * fix copmpilation with debug build of BDB on Windows (r1501656, r1501702)
    * fix '--with-openssl' option when building on Windows (r1535139) 
    * add test to fail when built against broken ZLib (r1537193 et al)

  - Bindings:
    * swig-rb: fix tests to run without installing on OS X (r1535161)
    * ctypes-python: build with compiler selected via configure (r1536537)


from https://svn.apache.org/repos/asf/subversion/tags/1.7.14/CHANGES

Version 1.7.14
(25 Nov 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.14

 User-visible changes:
  - Client- and server-side bugfixes:
    * fix assertion on urls of the form 'file://./' (r1516806)

  - Client-side bugfixes:
    * upgrade: fix an assertion when used with pre-1.3 wcs (r1530849)
    * ra_local: fix error with repository in Windows drive root (r1518184)
    * fix crash on windows when piped command is interrupted (r1522892)
    * fix externals that point at redirected locations (issues #4428, #4429)
    * diff: fix incorrect calculation of changes in some cases (issue #4283)
    * diff: fix errors with added/deleted targets (issues #4153, #4421)

  - Server-side bugfixes:
    * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al)
    * fix OOM on concurrent requests at threaded server start (r1527103 et al)
    * fsfs: limit commit time of files with deep change histories (r1536790)
    * mod_dav_svn: canonicalize paths properly (r1542071)

  - Other tool improvements and bugfixes:
    * mod_dontdothat: Fix the uri parser (r1542069 et al)

 Developer-visible changes:
  - Bindings:
    * javahl: canonicalize path for streamFileContent method (r1524869)

Reproducible: Didn't try
Comment 1 Bernhard Wiedemann 2013-11-23 18:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (850747) was mentioned in
https://build.opensuse.org/request/show/208052 Factory / subversion
Comment 2 Bernhard Wiedemann 2013-11-23 19:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (850747) was mentioned in
https://build.opensuse.org/request/show/208054 Factory / subversion
https://build.opensuse.org/request/show/208056 13.1+12.2+12.3 / subversion
Comment 3 Benjamin Brunner 2013-11-25 14:41:53 UTC
Thanks for your submission. 
JFI, because of the different versions I splitted it into two different incidents:
12.2/12.3 openSUSE:Maintenance:2280
13.1 openSUSE:Maintenance:2281
Comment 4 Andreas Stieger 2013-11-25 16:59:37 UTC
Contains security updates:

CVE-2013-4505
1.4.0-1.7.13 and 1.8.0-1.8.4
mod_dontdothat does not restrict requests from serf based clients
https://subversion.apache.org/security/CVE-2013-4505-advisory.txt

CVE-2013-4558
1.7.11-1.7.13 and 1.8.1-1.8.4
mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits
https://subversion.apache.org/security/CVE-2013-4558-advisory.txt

Adding security team.
Comment 5 Bernhard Wiedemann 2013-11-25 19:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (850747) was mentioned in
https://build.opensuse.org/request/show/208334 Factory / subversion
Comment 6 Andreas Stieger 2013-11-26 18:49:11 UTC
CVE added and follow-up requests for the mentioned incidents.
https://build.opensuse.org/request/show/208584
https://build.opensuse.org/request/show/208585
Comment 7 Marcus Meissner 2013-12-02 14:17:09 UTC
i think needinfo provided.
Comment 8 Swamp Workflow Management 2013-12-07 18:05:39 UTC
openSUSE-SU-2013:1836-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 850667,850747
CVE References: CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 13.1 (src):    subversion-1.8.5-2.11.1
Comment 9 Swamp Workflow Management 2013-12-12 17:04:57 UTC
openSUSE-SU-2013:1860-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 850667,850747
CVE References: CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 12.3 (src):    subversion-1.7.14-2.22.1
openSUSE 12.2 (src):    subversion-1.7.14-4.30.1
Comment 10 Swamp Workflow Management 2013-12-13 13:06:32 UTC
openSUSE-SU-2013:1869-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 528714,649861,662030,713919,788015,794676,830031,836245,850747
CVE References: CVE-2010-3315,CVE-2010-4539,CVE-2010-4644,CVE-2013-1884,CVE-2013-4131,CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 11.4 (src):    subversion-1.7.14-59.1
Comment 11 Andreas Stieger 2013-12-31 19:12:54 UTC
Resolving as fixed for openSUSE.