Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 556076 (CVE-2015-3184)

Summary: <dev-vcs/subversion-{1.7.21,1.8.14}: Multiple vulnerabilities (CVE-2015-{3184,3187})
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ago, polynomial-c, tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 539642    
Bug Blocks:    

Description Tobias Heinlein (RETIRED) gentoo-dev 2015-07-27 21:45:00 UTC 
We have received a confidential pre-notification for multiple security alerts for Subversion clients and servers:

 * CVE-2015-3184
   Mixed anonymous/authenticated path-based authz with httpd 2.4.
 * CVE-2015-3187
   svn_repos_trace_node_locations() leaks paths hidden by authz.


Lars and Thomas, I have emailed you the details. Can you prepare an updated ebuild or prepare for the new release so we can rapidly stabilize it on release date?

Agostino, will you be available on release date for stabilization?
Comment 1 Agostino Sarubbo gentoo-dev 2015-07-28 07:34:35 UTC 
(In reply to Tobias Heinlein from comment #0)
> Agostino, will you be available on release date for stabilization?

Sure..
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 20:31:18 UTC 
so, any prepared ebuilds?
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-08-06 05:38:41 UTC 
+*subversion-1.9.0 (06 Aug 2015)
+*subversion-1.8.14-r1 (06 Aug 2015)
+*subversion-1.8.14 (06 Aug 2015)
+
+  06 Aug 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -subversion-1.8.13-r2.ebuild, +subversion-1.8.14.ebuild,
+  +subversion-1.8.14-r1.ebuild, +subversion-1.9.0.ebuild:
+  Security bump (bug #55607). Removed old.
+

Once tommy added the ebuild for 1.7.x version arches should stabilize =dev-vcs/subversion-1.8.14 (not the -r1 ebuild!) and his 1.7.x version.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2015-08-06 13:28:12 UTC 
Public as per https://subversion.apache.org/security/.
Comment 5 Thomas Sachau gentoo-dev 2015-08-06 19:30:31 UTC 
+*subversion-1.7.21 (06 Aug 2015)
+
+  06 Aug 2015; Thomas Sachau (Tommy[D]) <tommy@gentoo.org>
+  +subversion-1.7.21.ebuild:
+  Version bump for 1.7 series to 1.7.21 for bug 556076, known issue: some tests
+  may fail
+

arches, please mark stable:

=dev-vcs/subversion-1.7.21 with target keywords="alpha amd64 arm ~arm64 ~hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

and

=dev-vcs/subversion-1.8.14 with target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-06 19:55:46 UTC 
amd64 srable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-07 08:39:10 UTC 
Stable on alpha.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-09 15:35:46 UTC 
ia64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-09 17:57:53 UTC 
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-15 08:02:41 UTC 
Stable for PPC64.
Comment 11 Markus Meier gentoo-dev 2015-08-16 19:55:37 UTC 
arm stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-18 03:56:26 UTC 
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2015-08-26 07:29:24 UTC 
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:04 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-09-09 04:03:46 UTC 
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Thomas Sachau gentoo-dev 2015-09-13 18:49:08 UTC 
ebuilds for subversion-1.7.20 and subversion-1.8.13-r1 removed.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 03:10:18 UTC 
Maintainer(s), Thank you for you for cleanup.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 12:47:32 UTC 
This issue was resolved and addressed in
 GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05
by GLSA coordinator Aaron Bauman (b-man).