Mailinglist Archive: opensuse-updates (111 mails)

< Previous Next >
openSUSE-SU-2013:0687-1: moderate: subversion: security and bugfix minor version updates
openSUSE Security Update: subversion: security and bugfix minor version
updates
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:0687-1
Rating: moderate
References: #813913
Cross-References: CVE-2013-1845 CVE-2013-1846 CVE-2013-1847
CVE-2013-1849 CVE-2013-1884
Affected Products:
openSUSE 12.3
openSUSE 12.2
openSUSE 12.1
______________________________________________________________________________

An update that fixes 5 vulnerabilities is now available.

Description:


Subversion received minor version updates to fix remote
triggerable vulnerabilities in mod_dav_svn which may result
in denial of service.

On openSUSE 12.1:
- update to 1.6.21 [bnc#813913], addressing remotely
triggerable
+ CVE-2013-1845: mod_dav_svn excessive memory usage from
property changes
+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests
against activity URLs
+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests
against non-existant URLs
+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests
against activity URLs
- further changes:
+ mod_dav_svn will omit some property values for activity
urls
+ improve memory usage when committing properties in
mod_dav_svn
+ fix mod_dav_svn runs pre-revprop-change twice
+ fixed: post-revprop-change errors cancel commit
+ improved logic in mod_dav_svn's implementation of lock.
+ fix a compatibility issue with g++ 4.7

On openSUSE 12.2 and 12.3:
- update to 1.7.9 [bnc#813913], addressing remotely
triggerable vulnerabilities in mod_dav_svn which may
result in denial of service:
+ CVE-2013-1845: mod_dav_svn excessive memory usage from
property changes
+ CVE-2013-1846: mod_dav_svn crashes on LOCK requests
against activity URLs
+ CVE-2013-1847: mod_dav_svn crashes on LOCK requests
against non-existant URLs
+ CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests
against activity URLs
+ CVE-2013-1884: mod_dav_svn crashes on out of range
limit in log REPORT
- further changes:
+ Client-side bugfixes:
* improved error messages about svn:date and svn:author
props.
* fix local_relpath assertion
* fix memory leak in `svn log` over svn://
* fix incorrect authz failure when using neon http
library
* fix segfault when using kwallet
+ Server-side bugfixes:
* svnserve will log the replayed rev not the low-water
rev.
* mod_dav_svn will omit some property values for
activity urls
* fix an assertion in mod_dav_svn when acting as a
proxy on /
* improve memory usage when committing properties in
mod_dav_svn
* fix svnrdump to load dump files with non-LF line
endings
* fix assertion when rep-cache is inaccessible
* improved logic in mod_dav_svn's implementation of
lock.
* avoid executing unnecessary code in log with limit
- Developer-visible changes:
+ General:
* fix an assertion in dav_svn_get_repos_path() on
Windows
* fix get-deps.sh to correctly download zlib
* doxygen docs will now ignore prefixes when producing
the index
* fix get-deps.sh on freebsd
+ Bindings:
* javahl status api now respects the ignoreExternals
boolean
- refresh subversion-no-build-date.patch for upstream
source changes


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2013-345

- openSUSE 12.2:

zypper in -t patch openSUSE-2013-345

- openSUSE 12.1:

zypper in -t patch openSUSE-2013-345

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (i586 x86_64):

libsvn_auth_gnome_keyring-1-0-1.7.9-2.4.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.9-2.4.1
libsvn_auth_kwallet-1-0-1.7.9-2.4.1
libsvn_auth_kwallet-1-0-debuginfo-1.7.9-2.4.1
subversion-1.7.9-2.4.1
subversion-debuginfo-1.7.9-2.4.1
subversion-debugsource-1.7.9-2.4.1
subversion-devel-1.7.9-2.4.1
subversion-perl-1.7.9-2.4.1
subversion-perl-debuginfo-1.7.9-2.4.1
subversion-python-1.7.9-2.4.1
subversion-python-debuginfo-1.7.9-2.4.1
subversion-server-1.7.9-2.4.1
subversion-server-debuginfo-1.7.9-2.4.1
subversion-tools-1.7.9-2.4.1
subversion-tools-debuginfo-1.7.9-2.4.1

- openSUSE 12.3 (noarch):

subversion-bash-completion-1.7.9-2.4.1

- openSUSE 12.2 (i586 x86_64):

libsvn_auth_gnome_keyring-1-0-1.7.9-4.12.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.9-4.12.1
libsvn_auth_kwallet-1-0-1.7.9-4.12.1
libsvn_auth_kwallet-1-0-debuginfo-1.7.9-4.12.1
subversion-1.7.9-4.12.1
subversion-debuginfo-1.7.9-4.12.1
subversion-debugsource-1.7.9-4.12.1
subversion-devel-1.7.9-4.12.1
subversion-perl-1.7.9-4.12.1
subversion-perl-debuginfo-1.7.9-4.12.1
subversion-python-1.7.9-4.12.1
subversion-python-debuginfo-1.7.9-4.12.1
subversion-server-1.7.9-4.12.1
subversion-server-debuginfo-1.7.9-4.12.1
subversion-tools-1.7.9-4.12.1
subversion-tools-debuginfo-1.7.9-4.12.1

- openSUSE 12.2 (noarch):

subversion-bash-completion-1.7.9-4.12.1

- openSUSE 12.1 (i586 x86_64):

libsvn_auth_gnome_keyring-1-0-1.6.21-2.17.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.6.21-2.17.1
libsvn_auth_kwallet-1-0-1.6.21-2.17.1
libsvn_auth_kwallet-1-0-debuginfo-1.6.21-2.17.1
subversion-1.6.21-2.17.1
subversion-debuginfo-1.6.21-2.17.1
subversion-debugsource-1.6.21-2.17.1
subversion-devel-1.6.21-2.17.1
subversion-perl-1.6.21-2.17.1
subversion-perl-debuginfo-1.6.21-2.17.1
subversion-python-1.6.21-2.17.1
subversion-python-debuginfo-1.6.21-2.17.1
subversion-ruby-1.6.21-2.17.1
subversion-ruby-debuginfo-1.6.21-2.17.1
subversion-server-1.6.21-2.17.1
subversion-server-debuginfo-1.6.21-2.17.1
subversion-tools-1.6.21-2.17.1
subversion-tools-debuginfo-1.6.21-2.17.1


References:

http://support.novell.com/security/cve/CVE-2013-1845.html
http://support.novell.com/security/cve/CVE-2013-1846.html
http://support.novell.com/security/cve/CVE-2013-1847.html
http://support.novell.com/security/cve/CVE-2013-1849.html
http://support.novell.com/security/cve/CVE-2013-1884.html
https://bugzilla.novell.com/813913


< Previous Next >
This Thread
  • No further messages