Subversion 1.4.3 and earlier does not properly implement the "partial access" privilege for users who have access to changed paths but not copied paths, which allows remote authenticated users to obtain sensitive information (revision properties) via svn (1) propget, (2) proplist, or (3) propedit. ---- More elaborate description at $URL. Upstream patch: http://svn.collab.net/viewvc/svn?view=rev&revision=25185
i have just added 1.4.5 to the tree with many fixes. this is the next candidate for stabilization
Thx Benedikt. Is this one ready for stable marking now?
(In reply to comment #2) > Is this one ready for stable marking now? Yes. There's nothing new for UNIX-like systems. 1.4.5 contains only a fix for Windows.
Arches, please test and mark stable dev-util/subversion-1.4.5. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Oh, wait. Hollow, is that an authoritative answer?
(In reply to comment #5) > Oh, wait. Hollow, is that an authoritative answer? Yes. I belong to Subversion upstream and I don't have bad intentions. http://subversion.tigris.org/servlets/ReadMsg?list=users&msgNo=69413 1.4.5 works identically as 1.4.4 on GNU/Linux and *BSD.
yep, go for stabilization :)
(In reply to comment #6) > Yes. I belong to Subversion upstream and I don't have bad intentions. I didn't mean you have bad intentions, just that I first thought you were in the Gentoo Apache team. And we have 1.3.* stable right now, so this is not a tiny bump.
x86 stable
stable on sparc
alpha/ia64 stable
Stable for HPPA, despite: IUSE.invalid 1 dev-util/subversion/subversion-1.4.5.ebuild: svnserve
ppc64 stable
ppc stable
amd64 done...
GLSA vote is open. I vote NO since this this vulnerability is rare and with little impact, quoting: "data is not commonly copied from a private location to a public one... only reveal the contents of properties, not the revision's changed-paths information. And, of course, this bug does not permit anyone to see file contents or directory listings that they should not."
voting NO too and closing.
Does not affect current (2008.0) release. Removing release.
