Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 57747 - dev-util/subversion 1.0.6 released. SECURITY FIX
Summary: dev-util/subversion 1.0.6 released. SECURITY FIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C4 [glsa] jaervosz
Depends on:
Reported: 2004-07-20 09:45 UTC by Tom Hosiawa
Modified: 2011-10-30 22:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Hosiawa 2004-07-20 09:45:07 UTC
Subversion 1.0.6 is ready. Grab it from: 

The MD5 checksums are:

  160c655194dff55f9fdd856110801d01  subversion-1.0.6.tar.gz
  bb05fe041fef7491b3555904d97f5e1c  subversion-1.0.6.tar.bz2

PGP Signatures are available at:

PGP Signatures will be made by the following person(s) for this release:
   Ben Reser [1024D/641E358B] with fingerprint:
   42F5 91FD E577 F545 FB40  8F6B 7241 856B 641E 358B

This is likely the last bugfix release in the 1.0.x line.  

Subversion versions up to and including 1.0.5 have a bug in
mod_authz_svn that allows users with write access to read
portions of the repository that they do not have read access
to.  Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
vulnerable to this issue.


mod_authz_svn would allow a user to copy portions of a repo to which
they did not have read permissions to portions that they did have 
read permissions on, thereby evading the read restrictions.


This is a low risk issue.  Only sites running mod_authz_svn (an
Apache module) that are trying to restrict some of their users
with write access to a repo from reading part of that repo are

Most installations will not fall into this category.
Additionally, any attempt to use such a vulnerability will be
apparent as the copy will be versioned.  Plus, it's doubtful
any site would permit public write access to its repository
so this issue should not be accessible by unauthenticated users.

This vulnerability does not affect users running svnserve.


* Disable DAV and use svnserve.

* Separate content into different repos.

* Disable the COPY method via Apache configuration.  Note this will
  disallow all copies.


We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.

Questions, comments, and bug reports to

-The Subversion Team 


 * fixed: crash in status command, caused by race (r10144)
 * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
 * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
 * fixed: mod_authz_svn COPY security hole:  authorize whole tree (issue #1949)

 Developer-visible changes:
 * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)

To unsubscribe, e-mail:
For additional commands, e-mail:

Reproducible: Always
Steps to Reproduce:
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-20 10:37:02 UTC
Paul will look into this and provide an ebuild?

Please also remove old vulnerable and uneeded versions.
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-07-20 10:41:49 UTC
Stuart --

mind tending to this while Paul is enjoying his vacation?
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2004-07-20 12:01:23 UTC
Okay, I'm looking at it now.
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-07-20 12:40:21 UTC
Right, dev-util/subversion-1.0.6 and net-misc/neon-0.24.7 are now in the tree, and marked as ~arch.  I'll get started on testing on x86.  If you can start getting the other arches testing and marking stable, that'll be great.

Best regards,
Comment 5 solar (RETIRED) gentoo-dev 2004-07-20 12:47:21 UTC
Arch maintainers please test subversion-1.0.6 and mark stable.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-20 13:16:46 UTC
Target keywords:

alpha amd64 hppa ~ppc sparc x86
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-20 13:26:25 UTC
Also remember to mark net-misc/neon-0.24.7 stable as subversion depends on it.
Comment 8 Stuart Herbert (RETIRED) gentoo-dev 2004-07-20 13:52:25 UTC
Stable on x86.
Comment 9 Ciaran McCreesh 2004-07-20 13:54:25 UTC
subversion 1.0.6, now with sparc goodness. coming soon to an rsync mirror near you!

Warning: may eat excessive amounts of disk space and RAM. Your data is at risk if you do not keep up repayments on the bribe money required for the db not to corrupt itself. XML has been known to cause cancer in lab rats.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-23 04:48:09 UTC
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-07-23 07:33:41 UTC
ppc,amd64,hppa: please mark neon-0.24.7 stable
amd64,hppa: please mark subversion-1.0.6 stable
Comment 12 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-07-23 12:11:28 UTC
I can draft this, hopefully sometime this weekend.
Comment 13 Travis Tilley (RETIRED) gentoo-dev 2004-07-23 15:00:59 UTC
stable on amd64
Comment 14 Guy Martin (RETIRED) gentoo-dev 2004-07-23 15:05:05 UTC
Stable on hppa.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-07-26 01:51:31 UTC
Since subversion is ~ on the PPC platform, I think it's not necessary to wait for ppc to mark neon-0.24.7 stable to release the GLSA. People running suversion as ~ on ppc will probably know they need to have neon ~ too to resolve the dependency.

ppc : feel free to mark neon-0.24.7 stable if you disagree.
Comment 16 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-07-26 11:36:30 UTC
GLSA 200407-20.