Fedora

Fedora 21 Security Update: subversion-1.8.13-7.fc21

Leave a comment

Resolved Bugs
1205138 – CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
1207724 – CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers [fedora-all]
1205134 – CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests
1207723 – CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests [fedora-all]
1205140 – CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions
1207725 – CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions [fedora-all]
1183873 – subversion must depend on systemd or systemd-units<br
This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.
Three security vulnerabilities are fixed in this update:
* CVE-2015-0202: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt
* CVE-2015-0248: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
* CVE-2015-0251: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt
In addition, the following changes are included in the Subversion 1.8.13 update:
**Client-side bugfixes:**
* ra_serf: prevent abort of commits that have already succeeded
* ra_serf: support case-insensitivity in HTTP headers
* better error message if an external is shadowed
* ra_svn: fix reporting of directory read errors
* fix a redirect handling bug in ‘svn log’ over HTTP
* properly copy tree conflict information
* fix ‘svn patch’ output for reordered hunks http://subversion.tigris.org/issues/show_bug.cgi?id=4533
* svnrdump load: don’t load wrong props with no-deltas dump http://subversion.tigris.org/issues/show_bug.cgi?id=4551
* fix working copy corruption with relative file external http://subversion.tigris.org/issues/show_bug.cgi?id=4411
* don’t crash if config file is unreadable
* svn resolve: don’t ask a question with only one answer
* fix assertion failure in svn move
* working copy performance improvements
* handle existing working copies which become externals
* fix recording of WC meta-data for foreign repos copies
* fix calculating repository path of replaced directories
* fix calculating repository path after commit of switched nodes
* svnrdump: don’t provide HEAD+1 as base revision for deletes
* don’t leave conflict markers on files that are moved
* avoid unnecessary subtree mergeinfo recording
* fix diff of a locally copied directory with props
**Server-side bugfixes:**
* fsfs: fix a problem verifying pre-1.4 repos used with 1.8
* svnadmin freeze: fix memory allocation error
* svnadmin load: tolerate invalid mergeinfo at r0
* svnadmin load: strip references to r1 from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4538
* svnsync: strip any r0 references from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4476
* fsfs: reduce memory consumption when operating on dag nodes
* reject invalid get-location-segments requests in mod_dav_svn and svnserve
* mod_dav_svn: reject invalid txnprop change requests
**Client-side and server-side bugfixes:**
* fix undefined behaviour in string buffer routines
* fix consistency issues with APR r/w locks on Windows
* fix occasional SEGV if threads load DSOs in parallel
* properly duplicate svn error objects
* fix use-after-free in config parser

Leave a Reply