We have received a confidential pre-notification for multiple security alerts for Subversion clients and servers: * CVE-2015-3184 Mixed anonymous/authenticated path-based authz with httpd 2.4. * CVE-2015-3187 svn_repos_trace_node_locations() leaks paths hidden by authz. Lars and Thomas, I have emailed you the details. Can you prepare an updated ebuild or prepare for the new release so we can rapidly stabilize it on release date? Agostino, will you be available on release date for stabilization?
(In reply to Tobias Heinlein from comment #0) > Agostino, will you be available on release date for stabilization? Sure..
so, any prepared ebuilds?
+*subversion-1.9.0 (06 Aug 2015) +*subversion-1.8.14-r1 (06 Aug 2015) +*subversion-1.8.14 (06 Aug 2015) + + 06 Aug 2015; Lars Wendler <polynomial-c@gentoo.org> + -subversion-1.8.13-r2.ebuild, +subversion-1.8.14.ebuild, + +subversion-1.8.14-r1.ebuild, +subversion-1.9.0.ebuild: + Security bump (bug #55607). Removed old. + Once tommy added the ebuild for 1.7.x version arches should stabilize =dev-vcs/subversion-1.8.14 (not the -r1 ebuild!) and his 1.7.x version.
Public as per https://subversion.apache.org/security/.
+*subversion-1.7.21 (06 Aug 2015) + + 06 Aug 2015; Thomas Sachau (Tommy[D]) <tommy@gentoo.org> + +subversion-1.7.21.ebuild: + Version bump for 1.7 series to 1.7.21 for bug 556076, known issue: some tests + may fail + arches, please mark stable: =dev-vcs/subversion-1.7.21 with target keywords="alpha amd64 arm ~arm64 ~hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" and =dev-vcs/subversion-1.8.14 with target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
amd64 srable
Stable on alpha.
ia64 stable
x86 stable
Stable for PPC64.
arm stable
Stable for HPPA.
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
ebuilds for subversion-1.7.20 and subversion-1.8.13-r1 removed.
Maintainer(s), Thank you for you for cleanup.
This issue was resolved and addressed in GLSA 201610-05 at https://security.gentoo.org/glsa/201610-05 by GLSA coordinator Aaron Bauman (b-man).