Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 350166 (CVE-2010-4539) - <dev-vcs/subversion-1.6.15: remote DoS (CVE-2010-{4539,4644})
Summary: <dev-vcs/subversion-1.6.15: remote DoS (CVE-2010-{4539,4644})
Alias: CVE-2010-4539
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2010-12-30 17:08 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified: 2013-09-23 23:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-12-30 17:08:06 UTC
Stabilize dev-vcs/subversion-1.6.15.

Some tests are known to fail in some configurations (time zone, locale, USE
flags), so failure of tests causes only warning.

Tests of bindings usually use Subversion libraries from /usr/lib, so these
tests are disabled by default.

Log of currently running tests:
Logs of tests with particular combinations of RA type and FS type:
Apache logs:
svnserve log:

If tests seem to hang, you can use the following command to check progress of
  tail -f "${S}/tests.log"
Comment 1 Alex Buell 2011-01-01 10:44:32 UTC
Tested on SPARC, majority of tests passed. Installed OK.
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2011-01-01 18:29:46 UTC
amd64 done
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-02 08:59:11 UTC
x86 stable
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-06 06:47:40 UTC
There is a security issue that requires this update, see

I'm suggesting A3 severity level based on .
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2011-01-06 12:49:59 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-01-07 00:42:43 UTC
It looks like there were two issues fixed in this release. From

So for 
A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)"
  Upstream changeset:

Let's use CVE-2010-4539.

B, * fix server-side memory leaks triggered by 'blame -g' (r1032808)
  Upstream changeset:

Let's use CVE-2010-4644.

Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-07 11:53:35 UTC
ppc/ppc64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-11 19:17:35 UTC
Stable for HPPA.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-01-12 05:05:45 UTC
Thanks, folks. GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:12:17 UTC
CVE-2010-4644 (
  Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow
  remote authenticated users to cause a denial of service (memory consumption
  and daemon crash) via the -g option to the blame command.

CVE-2010-4539 (
  The walk function in repos.c in the mod_dav_svn module for the Apache HTTP
  Server, as distributed in Apache Subversion before 1.6.15, allows remote
  authenticated users to cause a denial of service (NULL pointer dereference
  and daemon crash) via vectors that trigger the walking of SVNParentPath
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:24 UTC
This issue was resolved and addressed in
 GLSA 201309-11 at
by GLSA coordinator Sean Amoss (ackle).