Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556076 (CVE-2015-3184) - <dev-vcs/subversion-{1.7.21,1.8.14}: Multiple vulnerabilities (CVE-2015-{3184,3187})
Summary: <dev-vcs/subversion-{1.7.21,1.8.14}: Multiple vulnerabilities (CVE-2015-{3184...
Status: RESOLVED FIXED
Alias: CVE-2015-3184
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: 539642
Blocks:
  Show dependency tree
 
Reported: 2015-07-27 21:45 UTC by Tobias Heinlein (RETIRED)
Modified: 2016-10-11 12:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2015-07-27 21:45:00 UTC
We have received a confidential pre-notification for multiple security alerts for Subversion clients and servers:

 * CVE-2015-3184
   Mixed anonymous/authenticated path-based authz with httpd 2.4.
 * CVE-2015-3187
   svn_repos_trace_node_locations() leaks paths hidden by authz.


Lars and Thomas, I have emailed you the details. Can you prepare an updated ebuild or prepare for the new release so we can rapidly stabilize it on release date?

Agostino, will you be available on release date for stabilization?
Comment 1 Agostino Sarubbo gentoo-dev 2015-07-28 07:34:35 UTC
(In reply to Tobias Heinlein from comment #0)
> Agostino, will you be available on release date for stabilization?

Sure..
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 20:31:18 UTC
so, any prepared ebuilds?
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-08-06 05:38:41 UTC
+*subversion-1.9.0 (06 Aug 2015)
+*subversion-1.8.14-r1 (06 Aug 2015)
+*subversion-1.8.14 (06 Aug 2015)
+
+  06 Aug 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -subversion-1.8.13-r2.ebuild, +subversion-1.8.14.ebuild,
+  +subversion-1.8.14-r1.ebuild, +subversion-1.9.0.ebuild:
+  Security bump (bug #55607). Removed old.
+

Once tommy added the ebuild for 1.7.x version arches should stabilize =dev-vcs/subversion-1.8.14 (not the -r1 ebuild!) and his 1.7.x version.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2015-08-06 13:28:12 UTC
Public as per https://subversion.apache.org/security/.
Comment 5 Thomas Sachau gentoo-dev 2015-08-06 19:30:31 UTC
+*subversion-1.7.21 (06 Aug 2015)
+
+  06 Aug 2015; Thomas Sachau (Tommy[D]) <tommy@gentoo.org>
+  +subversion-1.7.21.ebuild:
+  Version bump for 1.7 series to 1.7.21 for bug 556076, known issue: some tests
+  may fail
+

arches, please mark stable:

=dev-vcs/subversion-1.7.21 with target keywords="alpha amd64 arm ~arm64 ~hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

and

=dev-vcs/subversion-1.8.14 with target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-06 19:55:46 UTC
amd64 srable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-07 08:39:10 UTC
Stable on alpha.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-09 15:35:46 UTC
ia64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-09 17:57:53 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-15 08:02:41 UTC
Stable for PPC64.
Comment 11 Markus Meier gentoo-dev 2015-08-16 19:55:37 UTC
arm stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-18 03:56:26 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2015-08-26 07:29:24 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:04 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-09-09 04:03:46 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Thomas Sachau gentoo-dev 2015-09-13 18:49:08 UTC
ebuilds for subversion-1.7.20 and subversion-1.8.13-r1 removed.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 03:10:18 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 12:47:32 UTC
This issue was resolved and addressed in
 GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05
by GLSA coordinator Aaron Bauman (b-man).