[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.6 released. *SECURITY FIX*

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-07-24 01:13:07 CEST

The Win32 build is now available:

  http://subversion.tigris.org/files/documents/15/14889/svn-win32-1.0.6.zip
  http://subversion.tigris.org/files/documents/15/14892/svn-win32-1.0.6_dev.zip
  http://subversion.tigris.org/files/documents/15/14890/svn-win32-1.0.6_pdb.7z
  http://subversion.tigris.org/files/documents/15/14891/svn-win32-1.0.6_py.zip

The MD5 checksums are:

  fb939ca8d5cafbc639ce487595c675d4 svn-win32-1.0.6.zip
  997efa970e5b02250a4b6c4852575f81 svn-win32-1.0.6_dev.zip
  cc401aa82ba7379809c98445247c1e7c svn-win32-1.0.6_pdb.7z
  0f1daf28b5862c128f0e1e0577ef67d8 svn-win32-1.0.6_py.zip

The binaries with the workaround for the ASP.NET bug are in at

  http://www.xbc.nu/svn/

Note: The PDB files are now in a 7-zip archive, because that's four
times smaller than a ZIP archive.

Ben Reser wrote:

>Subversion 1.0.6 is ready. Grab it from:
>
> http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz
> http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2
>
>The MD5 checksums are:
>
> 160c655194dff55f9fdd856110801d01 subversion-1.0.6.tar.gz
> bb05fe041fef7491b3555904d97f5e1c subversion-1.0.6.tar.bz2
>
>PGP Signatures are available at:
> http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz.asc
> http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2.asc
>
>PGP Signatures will be made by the following person(s) for this release:
> Ben Reser [1024D/641E358B] with fingerprint:
> 42F5 91FD E577 F545 FB40 8F6B 7241 856B 641E 358B
>
>
>This is likely the last bugfix release in the 1.0.x line.
>
>Subversion versions up to and including 1.0.5 have a bug in
>mod_authz_svn that allows users with write access to read
>portions of the repository that they do not have read access
>to. Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
>vulnerable to this issue.
>
>Details:
>========
>
>mod_authz_svn would allow a user to copy portions of a repo to which
>they did not have read permissions to portions that they did have
>read permissions on, thereby evading the read restrictions.
>
>Severity:
>=========
>
>This is a low risk issue. Only sites running mod_authz_svn (an
>Apache module) that are trying to restrict some of their users
>with write access to a repo from reading part of that repo are
>vulnerable.
>
>Most installations will not fall into this category.
>Additionally, any attempt to use such a vulnerability will be
>apparent as the copy will be versioned. Plus, it's doubtful
>any site would permit public write access to its repository
>so this issue should not be accessible by unauthenticated users.
>
>This vulnerability does not affect users running svnserve.
>
>Workarounds:
>============
>
>* Disable DAV and use svnserve.
>
>* Separate content into different repos.
>
>* Disable the COPY method via Apache configuration. Note this will
> disallow all copies.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.
>
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: crash in status command, caused by race (r10144)
> * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
> * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
> * fixed: mod_authz_svn COPY security hole: authorize whole tree (issue #1949)
>
> Developer-visible changes:
> * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)
>
>
-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jul 24 01:13:45 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.