From ${URL} : A mod_dav_svn crash was reported when SVNListParentPath is on: http://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6_wNzhEf7pWM=NiavGcobqvUuyhKyAA@mail.gmail.com%3E Certain requests could cause mod_dav_svn to crash. This has been corrected in version 1.7.15: https://svn.apache.org/repos/asf/subversion/branches/1.7.x/CHANGES Upstream fix for CVE-2014-0032: http://svn.apache.org/viewvc?view=revision&revision=r1557320 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This issue is fixed in 1.7.16 (1.7.15 was never released) and 1.8.8 according to http://svn.apache.org/repos/asf/subversion/trunk/CHANGES @maintainers: is 1.8.8 or 1.8.9 ready for stabilization? I notice the latest 1.7.x series we have in tree is still 1.7.14.
(In reply to Kristian Fiskerstrand from comment #1) > This issue is fixed in 1.7.16 (1.7.15 was never released) and 1.8.8 > according to http://svn.apache.org/repos/asf/subversion/trunk/CHANGES > > @maintainers: is 1.8.8 or 1.8.9 ready for stabilization? I notice the latest > 1.7.x series we have in tree is still 1.7.14. 1.7.17 was added on the first of june so should be ready for stabilization too
Arches, please test and mark stable =dev-vcs/subversion-1.7.17 Targets: alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86
CVE-2014-0032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0032): The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command.
Stable on alpha.
stable arm64
arm stable
Stable for HPPA.
amd64 stable
x86 stable
ia64/sparc stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
older versions for the 1.7 series removed, latest one is now 1.7.17, which will be removed once stabilization for bug 519202 is done.
Cleanup already done. GLSA Vote: No
(In reply to Kristian Fiskerstrand from comment #15) > Cleanup already done. > > GLSA Vote: No Adding as GLSA to existing request 8cfee74a1
This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man).