* CVE-2016-2167 svnserve/sasl may authenticate users using the wrong realm * CVE-2016-2168 mod_authz_svn: DoS in MOVE/COPY authorization check I have no further information yet. Bot issues are fixed with subversion-1.8.16 and subversion-1.9.4 which I already have the ebuilds/source-tarballs avaibale yet.
Upstream finally announced the release: http://mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgfn1iKueW51EpmXzXi_URNfGNofZSgOyW1_jnSeNm5DQ@mail.gmail.com%3E Please unrestrict this bug.
commit a008b507559a8a06e3ba06fb8e9b18ca54c1d3d5 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Apr 28 21:52:29 2016 dev-vcs/subversion: Security bump to versions 1.8.16 and 1.9.4 (bug #581448). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Arches please test and mark stable =dev-vcs/subversion-1.8.16 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Publicly released, lifting restriction
Arches, please test and mark stable: =dev-vcs/subversion-1.8.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA PPC64.
arm stable
Stable on alpha.
x86 stable
CVE-2016-2168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2168): The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. CVE-2016-2167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2167): The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
(In reply to Lars Wendler (Polynomial-C) from comment #2) > commit a008b507559a8a06e3ba06fb8e9b18ca54c1d3d5 > Author: Lars Wendler <polynomial-c@gentoo.org> > Date: Thu Apr 28 21:52:29 2016 > > dev-vcs/subversion: Security bump to versions 1.8.16 and 1.9.4 (bug > #581448). > > Package-Manager: portage-2.2.28 > Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> > > > Arches please test and mark stable =dev-vcs/subversion-1.8.16 with target > KEYWORDS: > > alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 > ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux > ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos > ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris > ~x86-solaris Any reason not to stabilize 1.9.4? Upstream supports 1.9.x branch for security related bug fixes plus the latest 1.8.x branch. If so, we can call for stabilization again here. Added to existing GLSA.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
Adding maintainers to CC. Please clean: =dev-vcs/subversion-{1.8.14, 1.9.3}
This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man).
