httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brennan, Edward C (HII-Ingalls)" <ed.bren...@hii-ingalls.com>
Subject [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit
Date Wed, 31 Jul 2013 20:43:21 GMT
Thank you.
  I am trying to understand what the recommendation is here.  I am currently using SVN 1.6.6
and have apache 2.2.22 in production (reverted back from 2.2.25).  At this link:  
http://subversion.apache.org/security/CVE-2013-4131-advisory.txt


there is this blurb:

Making a copy of the repository root is a valid Subversion operation.  
  However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being
  exercised for a revision root that was never before executed for a revision
  root.  That code performs a hand-rolled path arithmetic instead of using the
  internal path manipulation library, and thus passes an invalid path down to
  a library function which runs an assert() validation on that path.

  When assertions are enabled, the validation fails and kills the httpd
  process.  When assertions are disabled, code would read beyond allocated
  memory, which may lead to a segfault or undefined behavior. 


Is this what I'm running into when I perform a SVN Commit?

And the recommendations on that page:

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11.
  Users who are unable to upgrade may apply the included patches.
  
  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for
  repositories served by HTTPD) due to an independent security issue fixed
  in that HTTPD release: CVE-2013-1896.  See <http://s.apache.org/H1a> for
  details about CVE-2013-1896, including a recommendation for those who serve
  Subversion repositories with Apache HTTPD 2.4.x.

So is this saying that while apache 2.2.25 introduced the issue, I should keep that version
for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11?

Thank you!
Ed

-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com] 
Sent: Wednesday, July 31, 2013 10:42 AM
To: users@httpd.apache.org
Subject: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

https://issues.apache.org/bugzilla/show_bug.cgi?id=55304
http://svn.apache.org/viewvc?view=revision&revision=r1506714

On Wed, Jul 31, 2013 at 11:33 AM, Brennan, Edward C (HII-Ingalls)
<ed.brennan@hii-ingalls.com> wrote:
> Hello,
>   I recently uninstalled apache 2.2.22 and installed 2.2.25 in order to address security
vulnerabilities.  Apache sits on top of subversion.  A few days after the upgrade, some users
reported issues performing the "svn commit" command on a file that resides in a folder with
a space in the folder name.  I found that if I create a folder with a space in it, such as
"new folder", put it under cm control, then add a text file under the folder, then modify
the file and attempt an "SVN Commit" command, I get this error in apache error.log:
>
> [Wed Jul 31 10:25:13 2013] [error] ... Unable to PUT new contents for /svn/!svn/wrk/.../svngctest/trunk/new%20folder/myDoc.txt.
 [403, #0]
> [Wed Jul 31 10:25:13 2013] [error] ... Could not create file within the repository. 
[404, #160013]
> [Wed Jul 31 10:25:13 2013] [error] ... File not found: transaction '37355-stw', path
'/svngctest/trunk/new%20folder/myDoc.txt'  [404, #160013]
>
> If I revert back to apache 2.2.22, the file will commit just fine.  So the installation
of apache 2.2.25 seems to have introduced an issue with encoding spaces?  Has anyone else
noticed this with apache 2.2.25?
>
> Thank you,
>
> Ed Brennan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message