openSUSE Security Update: Security update for subversion ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1725-1 Rating: moderate References: #909935 Cross-References: CVE-2014-3580 CVE-2014-8108 Affected Products: openSUSE 13.2 openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This Apache Subversion update fixes the following security and non security issues. - Apache Subversion 1.8.11 - This release addresses two security issues: [boo#909935] * CVE-2014-3580: mod_dav_svn DoS from invalid REPORT requests. * CVE-2014-8108: mod_dav_svn DoS from use of invalid transaction names. - Client-side bugfixes: * checkout/update: fix file externals failing to follow history and subsequently silently failing * patch: don't skip targets in valid --git difs * diff: make property output in diffs stable * diff: fix diff of local copied directory with props * diff: fix changelist filter for repos-WC and WC-WC * remove broken conflict resolver menu options that always error out * improve gpg-agent support * fix crash in eclipse IDE with GNOME Keyring * fix externals shadowing a versioned directory * fix problems working on unix file systems that don't support permissions * upgrade: keep external registrations * cleanup: iprove performance of recorded timestamp fixups * translation updates for German - Server-side bugfixes: * disable revprop caching feature due to cache invalidation problems * skip generating uniquifiers if rep-sharing is not supported * mod_dav_svn: reject requests with missing repository paths * mod_dav_svn: reject requests with invalid virtual transaction names * mod_dav_svn: avoid unneeded memory growth in resource walking Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-821 - openSUSE 13.1: zypper in -t patch openSUSE-2014-821 - openSUSE 12.3: zypper in -t patch openSUSE-2014-821 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.8.11-2.7.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.11-2.7.1 libsvn_auth_kwallet-1-0-1.8.11-2.7.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.11-2.7.1 subversion-1.8.11-2.7.1 subversion-debuginfo-1.8.11-2.7.1 subversion-debugsource-1.8.11-2.7.1 subversion-devel-1.8.11-2.7.1 subversion-perl-1.8.11-2.7.1 subversion-perl-debuginfo-1.8.11-2.7.1 subversion-python-1.8.11-2.7.1 subversion-python-ctypes-1.8.11-2.7.1 subversion-python-debuginfo-1.8.11-2.7.1 subversion-ruby-1.8.11-2.7.1 subversion-ruby-debuginfo-1.8.11-2.7.1 subversion-server-1.8.11-2.7.1 subversion-server-debuginfo-1.8.11-2.7.1 subversion-tools-1.8.11-2.7.1 subversion-tools-debuginfo-1.8.11-2.7.1 - openSUSE 13.2 (noarch): subversion-bash-completion-1.8.11-2.7.1 - openSUSE 13.1 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.8.11-2.33.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.11-2.33.1 libsvn_auth_kwallet-1-0-1.8.11-2.33.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.11-2.33.1 subversion-1.8.11-2.33.1 subversion-debuginfo-1.8.11-2.33.1 subversion-debugsource-1.8.11-2.33.1 subversion-devel-1.8.11-2.33.1 subversion-perl-1.8.11-2.33.1 subversion-perl-debuginfo-1.8.11-2.33.1 subversion-python-1.8.11-2.33.1 subversion-python-debuginfo-1.8.11-2.33.1 subversion-ruby-1.8.11-2.33.1 subversion-ruby-debuginfo-1.8.11-2.33.1 subversion-server-1.8.11-2.33.1 subversion-server-debuginfo-1.8.11-2.33.1 subversion-tools-1.8.11-2.33.1 subversion-tools-debuginfo-1.8.11-2.33.1 - openSUSE 13.1 (noarch): subversion-bash-completion-1.8.11-2.33.1 - openSUSE 12.3 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.7.19-2.40.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.19-2.40.1 libsvn_auth_kwallet-1-0-1.7.19-2.40.1 libsvn_auth_kwallet-1-0-debuginfo-1.7.19-2.40.1 subversion-1.7.19-2.40.1 subversion-debuginfo-1.7.19-2.40.1 subversion-debugsource-1.7.19-2.40.1 subversion-devel-1.7.19-2.40.1 subversion-perl-1.7.19-2.40.1 subversion-perl-debuginfo-1.7.19-2.40.1 subversion-python-1.7.19-2.40.1 subversion-python-debuginfo-1.7.19-2.40.1 subversion-server-1.7.19-2.40.1 subversion-server-debuginfo-1.7.19-2.40.1 subversion-tools-1.7.19-2.40.1 subversion-tools-debuginfo-1.7.19-2.40.1 - openSUSE 12.3 (noarch): subversion-bash-completion-1.7.19-2.40.1 References: http://support.novell.com/security/cve/CVE-2014-3580.html http://support.novell.com/security/cve/CVE-2014-8108.html https://bugzilla.suse.com/show_bug.cgi?id=909935