CVE-2021-28544 (https://subversion.apache.org/security/CVE-2021-28544-advisory.txt): Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. CVE-2022-24070 (https://subversion.apache.org/security/CVE-2022-24070-advisory.txt): While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Please bump to 1.14.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8dd9ea5055c9f00eb442189a59addad5dad0dda6 commit 8dd9ea5055c9f00eb442189a59addad5dad0dda6 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-06-08 07:09:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-08 07:09:35 +0000 dev-vcs/subversion: add 1.14.2 Closes: https://bugs.gentoo.org/845984 Bug: https://bugs.gentoo.org/838085 Bug: https://bugs.gentoo.org/807343 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/subversion/Manifest | 1 + .../files/subversion-1.14.2-python3.11.patch | 16 + dev-vcs/subversion/subversion-1.14.2.ebuild | 441 +++++++++++++++++++++ 3 files changed, 458 insertions(+)
Cleanup done
Denial of service in non-default configuration at worst, no GLSA.
