[SECURITY] Fedora 21 Update: subversion-1.8.13-7.fc21
updates at fedoraproject.org
updates at fedoraproject.org
Wed Jul 29 01:54:00 UTC 2015
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-11795
2015-07-17 23:30:43
--------------------------------------------------------------------------------
Name : subversion
Product : Fedora 21
Version : 1.8.13
Release : 7.fc21
URL : http://subversion.apache.org/
Summary : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.
--------------------------------------------------------------------------------
Update Information:
This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.
Three security vulnerabilities are fixed in this update:
* CVE-2015-0202: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt
* CVE-2015-0248: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
* CVE-2015-0251: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt
In addition, the following changes are included in the Subversion 1.8.13 update:
**Client-side bugfixes:**
* ra_serf: prevent abort of commits that have already succeeded
* ra_serf: support case-insensitivity in HTTP headers
* better error message if an external is shadowed
* ra_svn: fix reporting of directory read errors
* fix a redirect handling bug in 'svn log' over HTTP
* properly copy tree conflict information
* fix 'svn patch' output for reordered hunks http://subversion.tigris.org/issues/show_bug.cgi?id=4533
* svnrdump load: don't load wrong props with no-deltas dump http://subversion.tigris.org/issues/show_bug.cgi?id=4551
* fix working copy corruption with relative file external http://subversion.tigris.org/issues/show_bug.cgi?id=4411
* don't crash if config file is unreadable
* svn resolve: don't ask a question with only one answer
* fix assertion failure in svn move
* working copy performance improvements
* handle existing working copies which become externals
* fix recording of WC meta-data for foreign repos copies
* fix calculating repository path of replaced directories
* fix calculating repository path after commit of switched nodes
* svnrdump: don't provide HEAD+1 as base revision for deletes
* don't leave conflict markers on files that are moved
* avoid unnecessary subtree mergeinfo recording
* fix diff of a locally copied directory with props
**Server-side bugfixes:**
* fsfs: fix a problem verifying pre-1.4 repos used with 1.8
* svnadmin freeze: fix memory allocation error
* svnadmin load: tolerate invalid mergeinfo at r0
* svnadmin load: strip references to r1 from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4538
* svnsync: strip any r0 references from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4476
* fsfs: reduce memory consumption when operating on dag nodes
* reject invalid get-location-segments requests in mod_dav_svn and svnserve
* mod_dav_svn: reject invalid txnprop change requests
**Client-side and server-side bugfixes:**
* fix undefined behaviour in string buffer routines
* fix consistency issues with APR r/w locks on Windows
* fix occasional SEGV if threads load DSOs in parallel
* properly duplicate svn error objects
* fix use-after-free in config parser
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jul 14 2015 Joe Orton <jorton at redhat.com> - 1.8.13-7
- move svnauthz to -tools; make svnauthz-validate a symlink
- move svnmucc man page to -tools
- restore dep on systemd (#1183873)
* Tue Jul 14 2015 Joe Orton <jorton at redhat.com> - 1.8.13-6
- rebuild with tests enabled
* Tue Jul 14 2015 Joe Orton <jorton at redhat.com> - 1.8.13-5
- rebuild with SWIG 3.0.6 (#1216264)
* Mon Jun 15 2015 Ville Skyttä <ville.skytta at iki.fi> - 1.8.13-4
- Own bash-completion dirs not owned by anything in dep chain
* Tue Apr 21 2015 Peter Robinson <pbrobinson at fedoraproject.org> 1.8.13-2
- Disable tests to fix swig test issues
* Wed Apr 8 2015 <vondruch at redhat.com> - 1.8.13-1
- Fix Ruby's test suite.
* Tue Apr 7 2015 Joe Orton <jorton at redhat.com> - 1.8.13-1
- update to 1.8.13 (#1207835)
- attempt to patch around SWIG issues
* Tue Dec 16 2014 Joe Orton <jorton at redhat.com> - 1.8.11-1
- update to 1.8.11 (#1174521)
- require newer libserf (#1155670)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1205138 - CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
https://bugzilla.redhat.com/show_bug.cgi?id=1205138
[ 2 ] Bug #1205134 - CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests
https://bugzilla.redhat.com/show_bug.cgi?id=1205134
[ 3 ] Bug #1205140 - CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions
https://bugzilla.redhat.com/show_bug.cgi?id=1205140
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update subversion' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list