[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache Subversion 1.7.20 released

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Wed, 1 Apr 2015 07:55:09 -0400

[ Followup trimmed to subersion-devel and subversion-users ]

On Tue, Mar 31, 2015 at 8:03 AM, Stefan Sperling <stsp_at_apache.org> wrote:
> I'm happy to announce the release of Apache Subversion 1.7.20.
>
> This release addresses two security issues:
>
> CVE-2015-0248: Subversion mod_dav_svn and svnserve are vulnerable to a
> remotely triggerable assertion DoS vulnerability for certain
> requests with dynamically evaluated revision numbers
> CVE-2015-0251: Subversion HTTP servers allow spoofing svn:author property
> values for new revisions

Cool, thanks for the update! It wouldn't affect me since I use svn+ssh
these days, but I'm glad for others to ge tthe fix. I've updated my
public tools for building 1.7.x and 1.8.x on RHEL based operating
systems to match, at

           https://github.com/nkadel/subversion-1.8.x-srpm

           https://github.com/nkadel/subversion-1.7.x-srpm

I'm having difficulty building recent 1.7 releases on RHEL 5., I'll go
into more detail on that in another note. I've also not pursued
compiling for RHEL 7 yet, being reluctant to touch systemd if I can
avoid it, but I'm going to have to learn.

                          Nico Kadel-Garcia

> For details see the advisories at:
>
> http://subversion.apache.org/security/CVE-2015-0248-advisory.txt
> http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
>
> Please choose the mirror closest to you by visiting:
>
> http://subversion.apache.org/download/#supported-releases
>
> The SHA1 checksums are:
>
> f600c68010d2fd9a23fc8c6b659099aedac12900 subversion-1.7.20.tar.bz2
> 675ac5a843e01dbb4a30d6333a809fd048c5ce0c subversion-1.7.20.zip
> e861f85e9df1b5aca903aa6eda15919c454cbda5 subversion-1.7.20.tar.gz
>
> PGP Signatures are available at:
>
> http://www.apache.org/dist/subversion/subversion-1.7.20.tar.bz2.asc
> http://www.apache.org/dist/subversion/subversion-1.7.20.tar.gz.asc
> http://www.apache.org/dist/subversion/subversion-1.7.20.zip.asc
>
> For this release, the following people have provided PGP signatures:
>
> Bert Huijben [4096R/CCC8E1DF] with fingerprint:
> 3D1D C66D 6D2E 0B90 3952 8138 C4A6 C625 CCC8 E1DF
> Branko Čibej [4096R/A347943F] with fingerprint:
> BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
> Ivan Zhakov [4096R/F6AD8147] with fingerprint:
> 4829 8F0F E47F 4B8A 43FD 6525 919F 6F61 F6AD 8147
> Johan Corveleyn [4096R/010C8AAD] with fingerprint:
> 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
> Julian Foad [4096R/4EECC493] with fingerprint:
> 6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493
> Philip Martin [2048R/ED1A599C] with fingerprint:
> A844 790F B574 3606 EE95 9207 76D7 88E1 ED1A 599C
> Stefan Fuhrmann [4096R/57921ACC] with fingerprint:
> 056F 8016 D9B8 7B1B DE41 7467 99EC 741B 5792 1ACC
> Stefan Sperling [2048R/9A59B973] with fingerprint:
> 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
>
> Release notes for the 1.7.x release series may be found at:
>
> http://subversion.apache.org/docs/release-notes/1.7.html
>
> You can find the list of changes between 1.7.20 and earlier versions at:
>
> http://svn.apache.org/repos/asf/subversion/tags/1.7.20/CHANGES
>
> Questions, comments, and bug reports to users_at_subversion.apache.org.
>
> Thanks,
> - The Subversion Team
Received on 2015-04-01 13:56:27 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.