Summary: | <dev-vcs/subversion-1.6.16: NULL-pointer dereference in mod_dav_svn (CVE-2011-0715) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | andreis.vinogradovs, arfrever | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://subversion.apache.org/security/CVE-2011-0715-advisory.txt | ||||||
Whiteboard: | A3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tim Sammut (RETIRED)
2011-02-27 19:21:00 UTC
Arfrever, please add an updated ebuild to this bug, and not in CVS. Thanks! Created attachment 264115 [details]
subversion-1.6.16.ebuild
(In reply to comment #2) > Created an attachment (id=264115) [details] > subversion-1.6.16.ebuild > Thank you. Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, chainsaw hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : armin76, tcunha x86 : fauli, maekke http://subversion.tigris.org/downloads/subversion-1.6.16.tar.bz2 doesn't exist yet. (In reply to comment #4) wget https://svn:mlDn0C4FStZ888@people.apache.org/~hwright/svn/1.6.16/tarzan-shrew/subversion-1.6.16.tar.bz2 HPPA is OK. Does not seem to be released yet, please do not lift the embargo yet. Arch liasons: please test and report if it is stable, do not commit yet! This issue is now public. http://subversion.apache.org/security/CVE-2011-0715-advisory.txt @python, please commit the ebuild with HPPA and any additional noted stables below. Adding full Arch teams for remaining stabilization. (In reply to comment #8) > @python, please So now arfrever equals python@? ;-) Marked ppc stable. x86 done. amd64 ok Build and tested on SPARC, no serious failures found with tests although some tests were skipped and some 'xfailed'. alpha/arm/ia64/s390/sh/sparc stable ppc64 stable amd64 done. Thanks Agostino Thanks, Arfrever. FWIW and our policy is not specific in this regard, but please let us change the whiteboard to [glsa]. It's at the [stable] to [glsa] transition that we either file a new GLSA request or note the new bug on an existing request. If someone else changes the whiteboard for us, it is possible we'll miss that step. Thanks. Added to existing GLSA request. *** Bug 357715 has been marked as a duplicate of this bug. *** CVE-2011-0715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715): The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token. This issue was resolved and addressed in GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml by GLSA coordinator Sean Amoss (ackle). |