Subversion 1.0.3 released. *SECURITY FIX*
From: Ben Reser <ben_at_reser.org>
Date: 2004-05-19 12:20:50 CEST
Subversion 1.0.3 is ready. Grab it from:
http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
The MD5 checksums are:
1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
Subversion versions up to and including 1.0.2 have a buffer overflow in
Both client and server are vulnerable. The server is vulnerable over
Additionally, clients with shared working copies, or permissions that
Severity:
Severity ranges from "Denial of Service" to, potentially, "Arbitrary
The server vulnerabilities can be triggered without write/commit access
Workarounds:
There are no workarounds except to disallow public access. Even then
Recommendations:
We recommend all users upgrade to 1.0.3.
References:
CAN-2004-0397: subversion sscanf stack overflow via revision date
Note:
There was a similar vulnerability in the Neon HTTP library up to and
Questions, comments, and bug reports to users_at_subversion.tigris.org.
Thanks,
--------------------8-<-------cut-here---------8-<-----------------------
User-visible-changes:
---------------------------------------------------------------------
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.