A new version of Subversion is out, with CVE's reported. Hoping for a Gentoo update soon: https://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120220.GO17807%40jim.stsp.name%3E Reproducible: Always
+*subversion-1.8.13 (09 Apr 2015) + + 09 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> + +subversion-1.8.13.ebuild, +files/svnserve.initd3: + Security bump (bug #545348). Added slightly rewritten init script. + @thommy: in case there's also a new 1.7.x version, would you mind adding it as well?
hmm, buildin this fails: .. checking swig version... 2.0.9 .. cp ../../../../../subversion/bindings/swig/perl/native/Base.pm blib/lib/SVN/Base.pm cp Delta.pm blib/lib/SVN/Delta.pm cp Core.pm blib/lib/SVN/Core.pm cp ../../../../../subversion/bindings/swig/perl/native/Client.pm blib/lib/SVN/Client.pm cp Ra.pm blib/lib/SVN/Ra.pm AutoSplit: Can't open blib/lib/SVN/Ra.pm: No such file or directory cp ../../../../../subversion/bindings/swig/perl/native/Ra.pm blib/lib/SVN/Ra.pm Makefile.client:1051: recipe for target 'pm_to_blib' failed There is also this(harmless?) error with USE=-ruby checking for ruby... (cached) /usr/bin/ruby21 checking rb_hash_foreach... ./configure: line 22777: /usr/bin/ruby21: No such file or directory no configure: WARNING: The detected Ruby is too old for Subversion to use configure: WARNING: A Ruby which has rb_hash_foreach is required to use the configure: WARNING: Subversion Ruby bindings configure: WARNING: Upgrade to the official 1.8.2 release, or later
(In reply to Joakim Tjernlund from comment #2) > hmm, buildin this fails: > .. > checking swig version... 2.0.9 > .. > cp ../../../../../subversion/bindings/swig/perl/native/Base.pm > blib/lib/SVN/Base.pm > cp Delta.pm blib/lib/SVN/Delta.pm > cp Core.pm blib/lib/SVN/Core.pm > cp ../../../../../subversion/bindings/swig/perl/native/Client.pm > blib/lib/SVN/Client.pm > cp Ra.pm blib/lib/SVN/Ra.pm > AutoSplit: Can't open blib/lib/SVN/Ra.pm: No such file or directory > cp ../../../../../subversion/bindings/swig/perl/native/Ra.pm > blib/lib/SVN/Ra.pm > Makefile.client:1051: recipe for target 'pm_to_blib' failed hmm, rebuilding subverison went well. Possibly a paralell build problem? Also, svn uses swig but has no dependency dev-lang/swig
+ 13 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> subversion-1.8.13.ebuild: + Added dev-lang/swig to DEPEND. + No runtime dependency, so only added to DEPEND.
Basing of CVE descriptions on subversion homepage, two of three vulnerabilities were fixed in 1.7.20, and last one does not affect 1.7.* branch, as i understand. So, adding 1.7.20 and stabilizing it should be fine
+ 23 Apr 2015; Thomas Sachau (Tommy[D]) <tommy@gentoo.org> + +subversion-1.7.20.ebuild: + Version bump for bug 545348 +
(In reply to Lars Wendler (Polynomial-C) from comment #4) > + 13 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> > subversion-1.8.13.ebuild: > + Added dev-lang/swig to DEPEND. > + > > No runtime dependency, so only added to DEPEND. According to http://www.linuxfromscratch.org/blfs/view/cvs/general/subversion.html subversion wants a newer swig(3.0.5) The ruby error is still there: checking for ruby... (cached) /usr/bin/ruby21 checking rb_hash_foreach... ./configure: line 22777: /usr/bin/ruby21: No such file or directory no configure: WARNING: The detected Ruby is too old for Subversion to use configure: WARNING: A Ruby which has rb_hash_foreach is required to use the configure: WARNING: Subversion Ruby bindings configure: WARNING: Upgrade to the official 1.8.2 release, or later I guess you would have to set RUBY=none or similar
+ 12 May 2015; Lars Wendler <polynomial-c@gentoo.org> subversion-1.8.13.ebuild: + Fixed configure run with USE="-ruby". +
Arches, please test and mark stable: =dev-vcs/subversion-1.7.20 with target keywords="alpha amd64 ~arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" and =dev-vcs/subversion-1.8.13 with target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
amd64 stable
*** Bug 548426 has been marked as a duplicate of this bug. ***
Repoman fails with: dependency.bad [fatal] 28 dev-vcs/subversion/subversion-1.8.13.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-lang/ruby-2.1:2.1', 'dev-ruby/rubygems[ruby_targets_ruby21]'] dev-vcs/subversion/subversion-1.8.13.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-lang/ruby-2.1:2.1', 'dev-ruby/rubygems[ruby_targets_ruby21]'] [...]
ia64 stable
CVE-2015-0251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0251): The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. CVE-2015-0248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0248): The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. CVE-2015-0202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0202): The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.
arm stable for the 1.7 series (1.8 needs ruby-2.1) + 27 May 2015; Markus Meier <maekke@gentoo.org> subversion-1.7.20.ebuild: + arm stable, bug #545348 +
+*subversion-1.8.13-r2 (30 May 2015) +*subversion-1.8.13-r1 (30 May 2015) + + 30 May 2015; Lars Wendler <polynomial-c@gentoo.org> + -subversion-1.8.13.ebuild, +subversion-1.8.13-r1.ebuild, + +subversion-1.8.13-r2.ebuild: + Split subversion-1.8.13 into two versions. One for stable users depending on + ruby20 and one for unstable users depending on ruby21. + Arches please test and mark stable =dev-vcs/subversiopn-1.8.13-r1 (not -r2!) with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" subversion-1.8.13-r1.ebuild:KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
x86 stable
Stable for HPPA PPC64.
sparc stable
arm stable
ppc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable versions removed
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man).