Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838085 (CVE-2021-28544, CVE-2022-24070) - <dev-vcs/subversion-1.14.2: multiple vulnerabilities
Summary: <dev-vcs/subversion-1.14.2: multiple vulnerabilities
Alias: CVE-2021-28544, CVE-2022-24070
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 852656
  Show dependency tree
Reported: 2022-04-12 14:09 UTC by John Helmert III
Modified: 2023-04-30 22:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-12 14:09:05 UTC
CVE-2021-28544 (

Subversion servers reveal 'copyfrom' paths that should be hidden according
to configured path-based authorization (authz) rules.  When a node has been
copied from a protected location, users with access to the copy can see the
'copyfrom' path of the original.  This also reveals the fact that the node
was copied.  Only the 'copyfrom' path is revealed; not its contents. Both
httpd and svnserve servers are vulnerable.

CVE-2022-24070 (

While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.

Please bump to 1.14.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-06-08 07:09:50 UTC
The bug has been referenced in the following commit(s):

commit 8dd9ea5055c9f00eb442189a59addad5dad0dda6
Author:     Sam James <>
AuthorDate: 2022-06-08 07:09:24 +0000
Commit:     Sam James <>
CommitDate: 2022-06-08 07:09:35 +0000

    dev-vcs/subversion: add 1.14.2
    Signed-off-by: Sam James <>

 dev-vcs/subversion/Manifest                        |   1 +
 .../files/subversion-1.14.2-python3.11.patch       |  16 +
 dev-vcs/subversion/subversion-1.14.2.ebuild        | 441 +++++++++++++++++++++
 3 files changed, 458 insertions(+)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2023-04-03 20:40:09 UTC
Cleanup done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 22:54:37 UTC
Denial of service in non-default configuration at worst, no GLSA.