openSUSE Security Update: subversion: 1.8.8 security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0307-1 Rating: moderate References: #862459 Cross-References: CVE-2014-0032 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Apache Subversion was updated to version 1.8.8: It fix a remotely triggerable segfault in mod_dav_svn when svn is handling the server root and SVNListParentPath is on [bnc#862459] CVE-2014-0032 - Client-side bugfixes: * fix automatic relocate for wcs not at repository root * wc: improve performance when used with SQLite 3.8 * copy: fix some scenarios that broke the working copy * move: fix errors when moving files between an external and the parent working copy * log: resolve performance regression in certain scenarios * merge: decrease work to detect differences between 3 files * commit: don't change file permissions inappropriately * commit: fix assertion due to invalid pool lifetime * version: don't cut off the distribution version on Linux * flush stdout before exiting to avoid information being lost * status: fix missing sentinel value on warning codes * update/switch: improve some WC db queries that may return incorrect results depending on how SQLite is built - Server-side bugfixes: * reduce memory usage during checkout and export * fsfs: create rep-cache.db with proper permissions * mod_dav_svn: prevent crashes with SVNListParentPath on [bnc#862459] CVE-2014-0032 * mod_dav_svn: fix SVNAllowBulkUpdates directive merging * mod_dav_svn: include requested property changes in reports * svnserve: correct default cache size in help text * svnadmin dump: reduce size of dump files with '--deltas' * resolve integer underflow that resulted in infinite loops - developer visible changes: * fix ocassional failure of check_tests.py 12 * fix failure with SQLite 3.8.1-3.8.3 when built with SQLITE_ENABLE_STAT3/4 due to bug in SQLite * specify SQLite defaults that can be changed when SQLite is built to avoid unexpected behavior with Subversion * numerous documentation fixes * svn_client_commit_item3_dup() fix pool lifetime issues * ra_serf: properly ask multiple certificate validation providers for acceptance of certificate failures * release internal fs objects when closing commit editor * svn_client_proplist4() don't call the callback multiple times for the same path in order to deliver inherited properties - Bindings: * swig-pl: fix with --enable-sqlite-compatibility-version * swig: fix building from tarball with an out-of-tree build - removed patches: * subversion-1.8.x-fix-ppc-tests.patch, committed upstream - packaging changes: * only require and build with junit when building with java and running regression tests - 1.8.6 and 1.8.7 were not released Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-173 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.8.8-2.21.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.8-2.21.1 libsvn_auth_kwallet-1-0-1.8.8-2.21.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.8-2.21.1 subversion-1.8.8-2.21.1 subversion-debuginfo-1.8.8-2.21.1 subversion-debugsource-1.8.8-2.21.1 subversion-devel-1.8.8-2.21.1 subversion-perl-1.8.8-2.21.1 subversion-perl-debuginfo-1.8.8-2.21.1 subversion-python-1.8.8-2.21.1 subversion-python-debuginfo-1.8.8-2.21.1 subversion-ruby-1.8.8-2.21.1 subversion-ruby-debuginfo-1.8.8-2.21.1 subversion-server-1.8.8-2.21.1 subversion-server-debuginfo-1.8.8-2.21.1 subversion-tools-1.8.8-2.21.1 subversion-tools-debuginfo-1.8.8-2.21.1 - openSUSE 13.1 (noarch): subversion-bash-completion-1.8.8-2.21.1 References: http://support.novell.com/security/cve/CVE-2014-0032.html https://bugzilla.novell.com/862459