The Win32 build is now available:
The MD5 checksums are:
The binaries with the workaround for the ASP.NET bug are in at
Note: The PDB files are now in a 7-zip archive, because that's four
times smaller than a ZIP archive.
Ben Reser wrote:
>Subversion 1.0.6 is ready. Grab it from:
>The MD5 checksums are:
> 160c655194dff55f9fdd856110801d01 subversion-1.0.6.tar.gz
> bb05fe041fef7491b3555904d97f5e1c subversion-1.0.6.tar.bz2
>PGP Signatures are available at:
>PGP Signatures will be made by the following person(s) for this release:
> Ben Reser [1024D/641E358B] with fingerprint:
> 42F5 91FD E577 F545 FB40 8F6B 7241 856B 641E 358B
>This is likely the last bugfix release in the 1.0.x line.
>Subversion versions up to and including 1.0.5 have a bug in
>mod_authz_svn that allows users with write access to read
>portions of the repository that they do not have read access
>to. Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
>vulnerable to this issue.
>mod_authz_svn would allow a user to copy portions of a repo to which
>they did not have read permissions to portions that they did have
>read permissions on, thereby evading the read restrictions.
>This is a low risk issue. Only sites running mod_authz_svn (an
>Apache module) that are trying to restrict some of their users
>with write access to a repo from reading part of that repo are
>Most installations will not fall into this category.
>Additionally, any attempt to use such a vulnerability will be
>apparent as the copy will be versioned. Plus, it's doubtful
>any site would permit public write access to its repository
>so this issue should not be accessible by unauthenticated users.
>This vulnerability does not affect users running svnserve.
>* Disable DAV and use svnserve.
>* Separate content into different repos.
>* Disable the COPY method via Apache configuration. Note this will
> disallow all copies.
>We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>-The Subversion Team
> * fixed: crash in status command, caused by race (r10144)
> * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
> * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
> * fixed: mod_authz_svn COPY security hole: authorize whole tree (issue #1949)
> Developer-visible changes:
> * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Sat Jul 24 01:13:45 2004