CVE-2013-6892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6892): WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit.
Debian has a patch at https://sources.debian.net/patches/patch/websvn/2.3.3-1.2/13_security_CVE-2013-6892.patch/ I would be willing to apply this along with bug 552838 if no one has objections
Then again, this package will self-destruct with >=dev-lang/php-7.0 without major surgery. Perhaps we should kill it?
Upstream is dead; Patches come from Debian commit: 196fa9022f136bcbd82ab6f52a8d4c617b0603d6 Author: Brian Evans <grknight <AT> gentoo <DOT> org> AuthorDate: Thu Aug 11 18:21:29 2016 +0000 Commit: Brian Evans <grknight <AT> gentoo <DOT> org> CommitDate: Thu Aug 11 18:26:27 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902 www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup Remove the deprecated depend.php wrt bug 552838 Include Debian security patches wrt bug 552684, bug 575486, and bug 582234 Package-Manager: portage-2.3.0 .../websvn/files/13_security_CVE-2013-6892.patch | 39 ++++++++++++++ www-apps/websvn/files/30_CVE-2016-2511.patch | 11 ++++ www-apps/websvn/files/31_CVE-2016-1236.patch | 61 ++++++++++++++++++++++ www-apps/websvn/websvn-2.3.3-r1.ebuild | 54 +++++++++++++++++++ 4 files changed, 165 insertions(+)
@arches, please stabilize: =www-apps/websvn-2.3.3-r1
amd64 stable
x86 stable
Stable for PPC64.
@ppc, please finalize stabilization.
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf