subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bre...@apache.org
Subject svn commit: r1570273 - in /subversion/site/publish: doap.rdf docs/release-notes/release-history.html download/download.html index.html news.html security/CVE-2014-0032-advisory.txt security/index.html
Date Thu, 20 Feb 2014 16:59:16 GMT
Author: breser
Date: Thu Feb 20 16:59:15 2014
New Revision: 1570273

URL: http://svn.apache.org/r1570273
Log:
Update site for 1.8.8 release and publish the advisory for CVE-2014-0032.

Added:
    subversion/site/publish/security/CVE-2014-0032-advisory.txt   (with props)
Modified:
    subversion/site/publish/doap.rdf
    subversion/site/publish/docs/release-notes/release-history.html
    subversion/site/publish/download/download.html
    subversion/site/publish/index.html
    subversion/site/publish/news.html
    subversion/site/publish/security/index.html

Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Thu Feb 20 16:59:15 2014
@@ -37,8 +37,8 @@
     <release>
       <Version>
         <name>Recommended current 1.8 release</name>
-        <created>2013-11-25</created>
-        <revision>1.8.5</revision>
+        <created>2014-02-20</created>
+        <revision>1.8.8</revision>
       </Version>
     </release>
     <release>

Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Thu Feb 20 16:59:15 2014
@@ -31,6 +31,9 @@ Subversion 2.0.</p>
 
 <ul>
   <li>
+    <b>Subversion 1.8.8</b> (Thursday, 20 February 2014): Bugfix/security release.
+  </li>
+  <li>
     <b>Subversion 1.8.5</b> (Monday, 25 November 2013): Bugfix/security release.
   </li>
   <li>

Modified: subversion/site/publish/download/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.html?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/download/download.html (original)
+++ subversion/site/publish/download/download.html Thu Feb 20 16:59:15 2014
@@ -1,6 +1,6 @@
 <h1>Download Source Code</h1>
 
-[define version]1.8.5[end]
+[define version]1.8.8[end]
 [define supported]1.7.14[end]
 <!-- [define prerelease]1.8.0-rc3[end] -->
 
@@ -91,17 +91,17 @@ Other mirrors:
 </tr>
 <tr>
   <td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
-  <td class="checksum">d21de7daf37d9dd1cb0f777e999a529b96f83082</td>
+  <td class="checksum">8e9f10b7a9704c90e17cfe76fd56e3fe74c01a7a</td>
   <td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
 </tr>
 <tr>
   <td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
-  <td class="checksum">2859de4cdce4494cecc7a71df4dfbf7a765d7759</td>
+  <td class="checksum">0317474e42ba9fdd122030e40b862617ae97a5d0</td>
   <td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
 </tr>
 <tr>
   <td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
-  <td class="checksum">66643c80041fedf585c8f4537331212e821aeef5</td>
+  <td class="checksum">37790421139d8ce6643a5e690f2cb718ee818cea</td>
   <td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
 </tr>
 </table>
@@ -127,6 +127,7 @@ Other mirrors:
   <th>Checksum (SHA1)</th>
   <th>Signatures</th>
 </tr>
+<tr>
   <td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
   <td class="checksum">b35254a844d0b221a3fd8e80974ac75119d77b94</td>
   <td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
@@ -140,6 +141,7 @@ Other mirrors:
   <td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
   <td class="checksum">3875467f272cd3e78d12ac57dc42d6e690033494</td>
   <td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
+</tr>
 </table>
 
 </div>  <!-- #supported-releases -->

Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Thu Feb 20 16:59:15 2014
@@ -64,6 +64,25 @@
 
 <!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
 
+<div class="h3" id="news-20140220"> 
+<h3>2014-02-20 &mdash; Apache Subversion 1.8.8 Released
+ <a class="sectionlink" href="#news-20140220"
+ title="Link to this section">&para;</a> 
+</h3> 
+ 
+<p>We are pleased to announce the release of Apache Subversion 1.8.8.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201402.mbox/%3C530633AC.2050507@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.8/CHANGES"
+ >change log</a> for more information about this release.</p> 
+ 
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p> 
+ 
+</div> <!-- #news-20140220 --> 
+
 <div class="h3" id="news-20131125-2"> 
 <h3>2013-11-25 &mdash; Apache Subversion 1.8.5 Released
  <a class="sectionlink" href="#news-20131125-2"
@@ -103,25 +122,6 @@
  
 </div> <!-- #news-20131125-1 --> 
 
-<div class="h3" id="news-20131029"> 
-<h3>2013-10-29 &mdash; Apache Subversion 1.8.4 Released
- <a class="sectionlink" href="#news-20131029"
- title="Link to this section">&para;</a> 
-</h3> 
- 
-<p>We are pleased to announce the release of Apache Subversion 1.8.4.
- This is the most complete Subversion release to date, and we encourage
- users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201310.mbox/%3C526FD988.9040608@apache.org%3E"
- >release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.4/CHANGES"
- >change log</a> for more information about this release.</p> 
- 
-<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#recommended-release">download page</a>.</p> 
- 
-</div> <!-- #news-20131029 -->
-
 <p style="font-style: italic; text-align:
    right;">[Click <a href="/news.html">here</a> to see all News
    items.]</p>

Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Thu Feb 20 16:59:15 2014
@@ -22,6 +22,25 @@
 <!-- Maybe we could insert H2's to split up the news items by  -->
 <!-- calendar year if we felt the need to do so.               -->
 
+<div class="h3" id="news-20140220"> 
+<h3>2014-02-20 &mdash; Apache Subversion 1.8.8 Released
+ <a class="sectionlink" href="#news-20140220"
+ title="Link to this section">&para;</a> 
+</h3> 
+ 
+<p>We are pleased to announce the release of Apache Subversion 1.8.8.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201402.mbox/%3C530633AC.2050507@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.8/CHANGES"
+ >change log</a> for more information about this release.</p> 
+ 
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p> 
+ 
+</div> <!-- #news-20140220 --> 
+
 <div class="h3" id="news-20131125-2"> 
 <h3>2013-11-25 &mdash; Apache Subversion 1.8.5 Released
  <a class="sectionlink" href="#news-20131125-2"

Added: subversion/site/publish/security/CVE-2014-0032-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2014-0032-advisory.txt?rev=1570273&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2014-0032-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2014-0032-advisory.txt Thu Feb 20 16:59:15 2014
@@ -0,0 +1,190 @@
+  mod_dav_svn is vunerable to a remotely triggerable segfault DoS vulnerability
+  when SVNListParentPath is on.
+
+Summary:
+========
+
+  Subversion's mod_dav_svn Apache HTTPD server module will crash when it
+  receives an OPTIONS request against the server root and Subversion is
+  configured to handle the server root and SVNListParentPath is on.
+
+  This can lead to a DoS.  There are no known instances of this
+  problem being exploited in the wild, but the details of how to exploit
+  it have been disclosed on the Subversion development mailing list.
+
+Known vulnerable:
+=================
+
+  Subversion HTTPD servers 1.3.0 through 1.7.14 (inclusive)
+  Subversion HTTPD servers 1.8.0 through 1.8.5 (inclusive)
+
+Known fixed:
+============
+
+  Subversion 1.7.15 (not publicly released)
+  Subversion 1.7.16
+  Subversion 1.8.6-1.8.7 (not publicly released)
+  Subversion 1.8.8
+  svnserve (any version) is not vulnerable
+
+Details:
+========
+
+  When Subversion is configured on the root path of the server and the
+  SVNListParentPath directive is set to on then the following commands
+  will trigger a segfault:
+    svn list http://svn.example.com/
+    svn lock http://svn.example.com/
+
+  This occurs because when mod_dav_svn attempts to calculate the parent
+  path of the request is ends up setting a NULL pointer (since there can be
+  no parent of the server root URI), which is later assumed to be valid memory.
+
+  When Subversion is configured on any Location other than "/" (e.g. "/svn")
+  then the problem does not occur since the parent of the path can be
+  calculated and stored in memory.
+
+Severity:
+=========
+
+  CVSSv2 Base Score: 4.3 
+  CVSSv2 Base Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
+
+  We consider this to be a medium risk vulnerability.  Repositories which
+  allow for anonymous reads will be vulnerable without authentication.
+  However, we believe the required configuration is relatively rare.  Most
+  systems are not hosting Subversion on the root path of the server and
+  only a small number of those have the SVNListParentPath configuration on.
+
+  A remote attacker may be able to crash a Subversion server.  Many Apache
+  servers will respawn the listener processes, but a determined attacker
+  will be able to crash these processes as they appear, denying service to
+  legitimate users.  Servers using threaded MPMs will close the connection
+  on other clients being served by the same process that services the
+  OPTIONS request from the attacker.  In either case there is an increased
+  processing impact of restarting a process and the cost of per process
+  caches being lost.
+
+Recommendations:
+================
+
+  We recommend all users to upgrade to Subversion 1.8.8.  Users of
+  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
+  included patch.
+
+  New Subversion packages can be found at:
+  http://subversion.apache.org/packages.html
+
+  Administrators that wish to protect against this without patching
+  immediately can apply the following configuration to their httpd.conf
+  file:
+  [[[
+    <LocationMatch ^/$>
+      <LimitExcept GET>
+        Order Deny,Allow
+        Deny from all
+      </LimitExcept>
+    </LocationMatch>
+  ]]]
+
+  CAUTION: The above configuration should only be used when Subversion is
+  enabled on the root location in a parent path configuration.  For example the
+  following is the minimal configuration that matches this case:
+  [[
+    <Location />
+      DAV svn
+      SVNParentPath /var/svn
+    </Location>
+  ]]
+
+  In this case it will not block any useful requests and can be used without
+  concern that it will break anything.  If Subversion is running on any other
+  path or is not being used in a parent path configuration this configuration
+  should not be applied as these configurations are not vulnerable and it can
+  break functionality of Subversion or other applications being served from the
+  same httpd.
+
+References:
+===========
+
+  CVE-2014-0032  (Subversion)
+
+  Report on dev mailing list: https://mail-archives.apache.org/mod_mbox/subversion-dev/201401.mbox/%3CCANvU9scLHr2yOLABW8q6_wNzhEf7pWM%3DNiavGcobqvUuyhKyAA%40mail.gmail.com%3E
+
+Reported by:
+============
+
+  Lieven Govaerts <lgo{_AT_}apache.org>
+
+Patches:
+========
+
+  Patch against 1.7.14:
+
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c      (revision 1558691)
++++ subversion/mod_dav_svn/repos.c      (revision 1558692)
+@@ -1959,6 +1959,25 @@
+      of private resource, iff the SVNListParentPath directive is 'on'. */
+   if (dav_svn__is_parentpath_list(r))
+     {
++      /* Only allow GET and HEAD on the parentpath resource
++       * httpd uses the same method_number for HEAD as GET */
++      if (r->method_number != M_GET)
++        {
++          int status;
++
++          /* Marshall the error back to the client by generating by
++           * way of the dav_svn__error_response_tag trick. */
++          err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
++                                   SVN_ERR_APMOD_MALFORMED_URI,
++                                   "The URI does not contain the name "
++                                   "of a repository.");
++          /* can't use r->allowed since the default handler isn't called */
++          apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
++          status = dav_svn__error_response_tag(r, err);
++
++          return dav_push_error(r->pool, status, err->error_id, NULL, err);
++        }
++
+       err = get_parentpath_resource(r, resource);
+       if (err)
+         return err;
+]]]
+
+  Patch against 1.8.5:
+
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c      (revision 1558291)
++++ subversion/mod_dav_svn/repos.c      (revision 1558292)
+@@ -1971,6 +1971,25 @@
+      of private resource, iff the SVNListParentPath directive is 'on'. */
+   if (dav_svn__is_parentpath_list(r))
+     {
++      /* Only allow GET and HEAD on the parentpath resource
++       * httpd uses the same method_number for HEAD as GET */
++      if (r->method_number != M_GET)
++        {
++          int status;
++
++          /* Marshall the error back to the client by generating by
++           * way of the dav_svn__error_response_tag trick. */
++          err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
++                                   SVN_ERR_APMOD_MALFORMED_URI,
++                                   "The URI does not contain the name "
++                                   "of a repository.");
++          /* can't use r->allowed since the default handler isn't called */
++          apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
++          status = dav_svn__error_response_tag(r, err);
++
++          return dav_push_error(r->pool, status, err->error_id, NULL, err);
++        }
++
+       err = get_parentpath_resource(r, resource);
+       if (err)
+         return err;
+]]]

Propchange: subversion/site/publish/security/CVE-2014-0032-advisory.txt
------------------------------------------------------------------------------
    svn-eol-style = native

Propchange: subversion/site/publish/security/CVE-2014-0032-advisory.txt
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1570273&r1=1570272&r2=1570273&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Thu Feb 20 16:59:15 2014
@@ -190,6 +190,11 @@ Subversion project.</p>
 <td>1.7.11-1.7.13 and 1.8.1-1.8.4</td>
 <td>mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits</td>
 </tr>
+<tr>
+<td><a href="CVE-2014-0032-advisory.txt">CVE-2014-0032-advisory.txt</a></td>
+<td>1.3.0-1.7.14 and 1.8.0-1.8.5</td>
+<td>mod_dav_svn DoS vulnerability with SVNListParentPath</td>
+</tr>
 </tbody>
 </table>
 



Mime
View raw message