| Summary: | <dev-vcs/subversion-{1.7.20,1.8.13}: Multiple vulnerabilities (CVE-2015-{0202,0248,0251}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Eric Johnson <eric> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gentoo-bugs, joakim.tjernlund, pacho, polynomial-c, tb, tommy |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120220.GO17807%40jim.stsp.name%3E | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Eric Johnson
2015-04-02 18:06:52 UTC
+*subversion-1.8.13 (09 Apr 2015) + + 09 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> + +subversion-1.8.13.ebuild, +files/svnserve.initd3: + Security bump (bug #545348). Added slightly rewritten init script. + @thommy: in case there's also a new 1.7.x version, would you mind adding it as well? hmm, buildin this fails: .. checking swig version... 2.0.9 .. cp ../../../../../subversion/bindings/swig/perl/native/Base.pm blib/lib/SVN/Base.pm cp Delta.pm blib/lib/SVN/Delta.pm cp Core.pm blib/lib/SVN/Core.pm cp ../../../../../subversion/bindings/swig/perl/native/Client.pm blib/lib/SVN/Client.pm cp Ra.pm blib/lib/SVN/Ra.pm AutoSplit: Can't open blib/lib/SVN/Ra.pm: No such file or directory cp ../../../../../subversion/bindings/swig/perl/native/Ra.pm blib/lib/SVN/Ra.pm Makefile.client:1051: recipe for target 'pm_to_blib' failed There is also this(harmless?) error with USE=-ruby checking for ruby... (cached) /usr/bin/ruby21 checking rb_hash_foreach... ./configure: line 22777: /usr/bin/ruby21: No such file or directory no configure: WARNING: The detected Ruby is too old for Subversion to use configure: WARNING: A Ruby which has rb_hash_foreach is required to use the configure: WARNING: Subversion Ruby bindings configure: WARNING: Upgrade to the official 1.8.2 release, or later (In reply to Joakim Tjernlund from comment #2) > hmm, buildin this fails: > .. > checking swig version... 2.0.9 > .. > cp ../../../../../subversion/bindings/swig/perl/native/Base.pm > blib/lib/SVN/Base.pm > cp Delta.pm blib/lib/SVN/Delta.pm > cp Core.pm blib/lib/SVN/Core.pm > cp ../../../../../subversion/bindings/swig/perl/native/Client.pm > blib/lib/SVN/Client.pm > cp Ra.pm blib/lib/SVN/Ra.pm > AutoSplit: Can't open blib/lib/SVN/Ra.pm: No such file or directory > cp ../../../../../subversion/bindings/swig/perl/native/Ra.pm > blib/lib/SVN/Ra.pm > Makefile.client:1051: recipe for target 'pm_to_blib' failed hmm, rebuilding subverison went well. Possibly a paralell build problem? Also, svn uses swig but has no dependency dev-lang/swig + 13 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> subversion-1.8.13.ebuild: + Added dev-lang/swig to DEPEND. + No runtime dependency, so only added to DEPEND. Basing of CVE descriptions on subversion homepage, two of three vulnerabilities were fixed in 1.7.20, and last one does not affect 1.7.* branch, as i understand. So, adding 1.7.20 and stabilizing it should be fine + 23 Apr 2015; Thomas Sachau (Tommy[D]) <tommy@gentoo.org> + +subversion-1.7.20.ebuild: + Version bump for bug 545348 + (In reply to Lars Wendler (Polynomial-C) from comment #4) > + 13 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> > subversion-1.8.13.ebuild: > + Added dev-lang/swig to DEPEND. > + > > No runtime dependency, so only added to DEPEND. According to http://www.linuxfromscratch.org/blfs/view/cvs/general/subversion.html subversion wants a newer swig(3.0.5) The ruby error is still there: checking for ruby... (cached) /usr/bin/ruby21 checking rb_hash_foreach... ./configure: line 22777: /usr/bin/ruby21: No such file or directory no configure: WARNING: The detected Ruby is too old for Subversion to use configure: WARNING: A Ruby which has rb_hash_foreach is required to use the configure: WARNING: Subversion Ruby bindings configure: WARNING: Upgrade to the official 1.8.2 release, or later I guess you would have to set RUBY=none or similar + 12 May 2015; Lars Wendler <polynomial-c@gentoo.org> subversion-1.8.13.ebuild: + Fixed configure run with USE="-ruby". + Arches, please test and mark stable: =dev-vcs/subversion-1.7.20 with target keywords="alpha amd64 ~arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" and =dev-vcs/subversion-1.8.13 with target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" amd64 stable *** Bug 548426 has been marked as a duplicate of this bug. *** Repoman fails with: dependency.bad [fatal] 28 dev-vcs/subversion/subversion-1.8.13.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-lang/ruby-2.1:2.1', 'dev-ruby/rubygems[ruby_targets_ruby21]'] dev-vcs/subversion/subversion-1.8.13.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-lang/ruby-2.1:2.1', 'dev-ruby/rubygems[ruby_targets_ruby21]'] [...] ia64 stable CVE-2015-0251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0251): The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. CVE-2015-0248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0248): The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. CVE-2015-0202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0202): The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. arm stable for the 1.7 series (1.8 needs ruby-2.1) + 27 May 2015; Markus Meier <maekke@gentoo.org> subversion-1.7.20.ebuild: + arm stable, bug #545348 + +*subversion-1.8.13-r2 (30 May 2015) +*subversion-1.8.13-r1 (30 May 2015) + + 30 May 2015; Lars Wendler <polynomial-c@gentoo.org> + -subversion-1.8.13.ebuild, +subversion-1.8.13-r1.ebuild, + +subversion-1.8.13-r2.ebuild: + Split subversion-1.8.13 into two versions. One for stable users depending on + ruby20 and one for unstable users depending on ruby21. + Arches please test and mark stable =dev-vcs/subversiopn-1.8.13-r1 (not -r2!) with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" subversion-1.8.13-r1.ebuild:KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ia64 stable amd64 stable x86 stable Stable for HPPA PPC64. sparc stable arm stable ppc stable alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Vulnerable versions removed Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man). |
