openSUSE Security Update: Security update for subversion ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:3073-1 Rating: low References: #1011552 Cross-References: CVE-2016-8734 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for subversion fixes the following issues: - Version update to 1.9.5: * Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// (boo#1011552, CVE-2016-8734) - Client-side bugfixes: * fix accessing non-existent paths during reintegrate merge (r1766699 et al) * fix handling of newly secured subdirectories in working copy (r1724448) * info: remove trailing whitespace in --show-item=revision (issue #4660) * fix recording wrong revisions for tree conflicts (r1734106) * gpg-agent: improve discovery of gpg-agent sockets (r1766327) * gpg-agent: fix file descriptor leak (r1766323) * resolve: fix --accept=mine-full for binary files (issue #4647) * merge: fix possible crash (issue #4652) * resolve: fix possible crash (r1748514) * fix potential crash in Win32 crash reporter (r1663253 et al) - Server-side bugfixes: * fsfs: fix "offset too large" error during pack (issue #4657) * svnserve: enable hook script environments (r1769152) * fsfs: fix possible data reconstruction error (issue #4658) * fix source of spurious 'incoming edit' tree conflicts (r1770108) * fsfs: improve caching for large directories (r1721285) * fsfs: fix crash when encountering all-zero checksums (r1759686) * fsfs: fix potential source of repository corruptions (r1756266) * mod_dav_svn: fix excessive memory usage with mod_headers/mod_deflate (issue #3084) * mod_dav_svn: reduce memory usage during GET requests (r1757529 et al) * fsfs: fix unexpected "database is locked" errors (r1741096 et al) * fsfs: fix opening old repositories without db/format files (r1720015) - Client-side and server-side bugfixes: * fix possible crash when reading invalid configuration files (r1715777) - Bindings bugfixes: * swig-pl: do not corrupt "{DATE}" revision variable (r1767768) * javahl: fix temporary accepting SSL server certificates (r1764851) * swig-pl: fix possible stack corruption (r1683266, r1683267) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2016-1435=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): subversion-bash-completion-1.9.5-3.2 - openSUSE Leap 42.2 (x86_64): libsvn_auth_gnome_keyring-1-0-1.9.5-3.2 libsvn_auth_gnome_keyring-1-0-debuginfo-1.9.5-3.2 libsvn_auth_kwallet-1-0-1.9.5-3.2 libsvn_auth_kwallet-1-0-debuginfo-1.9.5-3.2 subversion-1.9.5-3.2 subversion-debuginfo-1.9.5-3.2 subversion-debugsource-1.9.5-3.2 subversion-devel-1.9.5-3.2 subversion-perl-1.9.5-3.2 subversion-perl-debuginfo-1.9.5-3.2 subversion-python-1.9.5-3.2 subversion-python-ctypes-1.9.5-3.2 subversion-python-debuginfo-1.9.5-3.2 subversion-ruby-1.9.5-3.2 subversion-ruby-debuginfo-1.9.5-3.2 subversion-server-1.9.5-3.2 subversion-server-debuginfo-1.9.5-3.2 subversion-tools-1.9.5-3.2 subversion-tools-debuginfo-1.9.5-3.2 References: https://www.suse.com/security/cve/CVE-2016-8734.html https://bugzilla.suse.com/1011552