openSUSE Security Update: subversion: update to 1.8.5 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1836-1 Rating: moderate References: #850667 #850747 Cross-References: CVE-2013-4505 CVE-2013-4558 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update fixes the following issues with subversion (CVE-2013-4505,CVE-2013-4558): - bnc#850747: update to 1.8.5 * CVE-2013-4505: mod_dontdothat does not restrict requests from serf clients. * CVE-2013-4558: mod_dav_svn assertion triggered by autoversioning commits. + Client-side bugfixes: * fix externals that point at redirected locations * diff: fix assertion with move inside a copy + Server-side bugfixes: * mod_dav_svn: Prevent crashes with some 3rd party modules * mod_dav_svn: canonicalize paths properly * mod_authz_svn: fix crash of mod_authz_svn with invalid config * hotcopy: fix hotcopy losing revprop files in packed repos + Other tool improvements and bugfixes: * mod_dontdothat: Fix the uri parser + Developer-visible changes: * fix compilation with '--enable-optimize' with clang * add test to fail when built against broken ZLib + Bindings: * ctypes-python: build with compiler selected via configure - require python-sqlite when running regression tests for all targets, no longer pulled in implicitly - print error logs on regression test failures - fix regression tests for ppc/ppc64 architectures, found in openSUSE package build and fixed with upstream developers - if running regression tests, also run them against bdb backend - update keyring, use Subversion Project Management Committee keyring rather than all committers Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2013-942 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libsvn_auth_gnome_keyring-1-0-1.8.5-2.11.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.5-2.11.1 libsvn_auth_kwallet-1-0-1.8.5-2.11.1 libsvn_auth_kwallet-1-0-debuginfo-1.8.5-2.11.1 subversion-1.8.5-2.11.1 subversion-debuginfo-1.8.5-2.11.1 subversion-debugsource-1.8.5-2.11.1 subversion-devel-1.8.5-2.11.1 subversion-perl-1.8.5-2.11.1 subversion-perl-debuginfo-1.8.5-2.11.1 subversion-python-1.8.5-2.11.1 subversion-python-debuginfo-1.8.5-2.11.1 subversion-ruby-1.8.5-2.11.1 subversion-ruby-debuginfo-1.8.5-2.11.1 subversion-server-1.8.5-2.11.1 subversion-server-debuginfo-1.8.5-2.11.1 subversion-tools-1.8.5-2.11.1 subversion-tools-debuginfo-1.8.5-2.11.1 - openSUSE 13.1 (noarch): subversion-bash-completion-1.8.5-2.11.1 References: http://support.novell.com/security/cve/CVE-2013-4505.html http://support.novell.com/security/cve/CVE-2013-4558.html https://bugzilla.novell.com/850667 https://bugzilla.novell.com/850747