Created attachment 343764 [details] Subversion Advisories The Gentoo Linux Security Team received advanced notification from Ben Reser (breser@apache.org) of 4 denial of service vulnerabilities found in Subversion. The vulnerabilities affect versions prior to 1.7.8 and 1.6.21. The patches and fixed versions will be released 2013-04-04 21:00 UTC. The fixed versions are also available at $URL. The advisories and patches are attached.
I dont plan to support the 1.6 series anymore, so this will result in 1.6.17-r7 being dropped, unless someone else steps up to maintain the 1.6 series or subversion itself. the fixed 1.7.9 version from $URL compiles fine with the 1.7.8 ebuild, so a quick bump for that one can be done.
Now public.
ebuild for 1.7.9 added
(In reply to comment #3) > ebuild for 1.7.9 added Should we proceed to stabilize?
(In reply to comment #4) > (In reply to comment #3) > > ebuild for 1.7.9 added > > Should we proceed to stabilize? I added 2 dependency related fixes yesterday, which also affected version 1.7.7 as the current stable version. Otherwise there have not been any bug reports, so looks good for stabilization.
Arches, please test and mark stable: =dev-vcs/subversion-1.7.9 Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
amd64 stable
x86 stable
arm stable
ia64 stable
ppc stable
ppc64 stable
s390 stable
sh stable
sparc stable
Stable for HPPA.
alpha stable
Old removed, @security, please add it to existing draft.
CVE-2013-1884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1884): The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable. CVE-2013-1847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1847): The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. CVE-2013-1846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1846): The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. CVE-2013-1845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1845): The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory.
Updated existing GLSA.
This issue was resolved and addressed in GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml by GLSA coordinator Sean Amoss (ackle).