openSUSE Security Update: subversion: security and bugfix minor version updates ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0687-1 Rating: moderate References: #813913 Cross-References: CVE-2013-1845 CVE-2013-1846 CVE-2013-1847 CVE-2013-1849 CVE-2013-1884 Affected Products: openSUSE 12.3 openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: Subversion received minor version updates to fix remote triggerable vulnerabilities in mod_dav_svn which may result in denial of service. On openSUSE 12.1: - update to 1.6.21 [bnc#813913], addressing remotely triggerable + CVE-2013-1845: mod_dav_svn excessive memory usage from property changes + CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs + CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs + CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs - further changes: + mod_dav_svn will omit some property values for activity urls + improve memory usage when committing properties in mod_dav_svn + fix mod_dav_svn runs pre-revprop-change twice + fixed: post-revprop-change errors cancel commit + improved logic in mod_dav_svn's implementation of lock. + fix a compatibility issue with g++ 4.7 On openSUSE 12.2 and 12.3: - update to 1.7.9 [bnc#813913], addressing remotely triggerable vulnerabilities in mod_dav_svn which may result in denial of service: + CVE-2013-1845: mod_dav_svn excessive memory usage from property changes + CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs + CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs + CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs + CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT - further changes: + Client-side bugfixes: * improved error messages about svn:date and svn:author props. * fix local_relpath assertion * fix memory leak in `svn log` over svn:// * fix incorrect authz failure when using neon http library * fix segfault when using kwallet + Server-side bugfixes: * svnserve will log the replayed rev not the low-water rev. * mod_dav_svn will omit some property values for activity urls * fix an assertion in mod_dav_svn when acting as a proxy on / * improve memory usage when committing properties in mod_dav_svn * fix svnrdump to load dump files with non-LF line endings * fix assertion when rep-cache is inaccessible * improved logic in mod_dav_svn's implementation of lock. * avoid executing unnecessary code in log with limit - Developer-visible changes: + General: * fix an assertion in dav_svn_get_repos_path() on Windows * fix get-deps.sh to correctly download zlib * doxygen docs will now ignore prefixes when producing the index * fix get-deps.sh on freebsd + Bindings: * javahl status api now respects the ignoreExternals boolean - refresh subversion-no-build-date.patch for upstream source changes Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-345 - openSUSE 12.2: zypper in -t patch openSUSE-2013-345 - openSUSE 12.1: zypper in -t patch openSUSE-2013-345 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.7.9-2.4.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.9-2.4.1 libsvn_auth_kwallet-1-0-1.7.9-2.4.1 libsvn_auth_kwallet-1-0-debuginfo-1.7.9-2.4.1 subversion-1.7.9-2.4.1 subversion-debuginfo-1.7.9-2.4.1 subversion-debugsource-1.7.9-2.4.1 subversion-devel-1.7.9-2.4.1 subversion-perl-1.7.9-2.4.1 subversion-perl-debuginfo-1.7.9-2.4.1 subversion-python-1.7.9-2.4.1 subversion-python-debuginfo-1.7.9-2.4.1 subversion-server-1.7.9-2.4.1 subversion-server-debuginfo-1.7.9-2.4.1 subversion-tools-1.7.9-2.4.1 subversion-tools-debuginfo-1.7.9-2.4.1 - openSUSE 12.3 (noarch): subversion-bash-completion-1.7.9-2.4.1 - openSUSE 12.2 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.7.9-4.12.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.9-4.12.1 libsvn_auth_kwallet-1-0-1.7.9-4.12.1 libsvn_auth_kwallet-1-0-debuginfo-1.7.9-4.12.1 subversion-1.7.9-4.12.1 subversion-debuginfo-1.7.9-4.12.1 subversion-debugsource-1.7.9-4.12.1 subversion-devel-1.7.9-4.12.1 subversion-perl-1.7.9-4.12.1 subversion-perl-debuginfo-1.7.9-4.12.1 subversion-python-1.7.9-4.12.1 subversion-python-debuginfo-1.7.9-4.12.1 subversion-server-1.7.9-4.12.1 subversion-server-debuginfo-1.7.9-4.12.1 subversion-tools-1.7.9-4.12.1 subversion-tools-debuginfo-1.7.9-4.12.1 - openSUSE 12.2 (noarch): subversion-bash-completion-1.7.9-4.12.1 - openSUSE 12.1 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.6.21-2.17.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.6.21-2.17.1 libsvn_auth_kwallet-1-0-1.6.21-2.17.1 libsvn_auth_kwallet-1-0-debuginfo-1.6.21-2.17.1 subversion-1.6.21-2.17.1 subversion-debuginfo-1.6.21-2.17.1 subversion-debugsource-1.6.21-2.17.1 subversion-devel-1.6.21-2.17.1 subversion-perl-1.6.21-2.17.1 subversion-perl-debuginfo-1.6.21-2.17.1 subversion-python-1.6.21-2.17.1 subversion-python-debuginfo-1.6.21-2.17.1 subversion-ruby-1.6.21-2.17.1 subversion-ruby-debuginfo-1.6.21-2.17.1 subversion-server-1.6.21-2.17.1 subversion-server-debuginfo-1.6.21-2.17.1 subversion-tools-1.6.21-2.17.1 subversion-tools-debuginfo-1.6.21-2.17.1 References: http://support.novell.com/security/cve/CVE-2013-1845.html http://support.novell.com/security/cve/CVE-2013-1846.html http://support.novell.com/security/cve/CVE-2013-1847.html http://support.novell.com/security/cve/CVE-2013-1849.html http://support.novell.com/security/cve/CVE-2013-1884.html https://bugzilla.novell.com/813913