Return-Path: 
 <users-return-16518-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org>
X-Original-To: apmail-subversion-users-archive@minotaur.apache.org
Delivered-To: apmail-subversion-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A3D78DB1D
	for <apmail-subversion-users-archive@minotaur.apache.org>;
 Mon, 22 Oct 2012 12:59:16 +0000 (UTC)
Received: (qmail 12924 invoked by uid 500); 22 Oct 2012 12:59:15 -0000
Delivered-To: apmail-subversion-users-archive@subversion.apache.org
Received: (qmail 12904 invoked by uid 500); 22 Oct 2012 12:59:15 -0000
Mailing-List: contact users-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@subversion.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@subversion.apache.org>
List-Post: <mailto:users@subversion.apache.org>
List-Id: <users.subversion.apache.org>
Delivered-To: mailing list users@subversion.apache.org
Received: (qmail 12892 invoked by uid 99); 22 Oct 2012 12:59:15 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Oct 2012 12:59:15 +0000
X-ASF-Spam-Status: No, hits=-1.6 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [74.125.149.153] (HELO na3sys009aog125.obsmtp.com)
 (74.125.149.153)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Oct 2012 12:59:10 +0000
Received: from mail-ie0-f171.google.com ([209.85.223.171]) (using TLSv1) by
 na3sys009aob125.postini.com ([74.125.148.12]) with SMTP
	ID DSNKUIVDCXTw2BHnUg907moedX9TVIL0xef+@postini.com;
 Mon, 22 Oct 2012 05:58:50 PDT
Received: by mail-ie0-f171.google.com with SMTP id s9so4535099iec.16
        for <users@subversion.apache.org>;
 Mon, 22 Oct 2012 05:58:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:x-gm-message-state;
        bh=FeUT0hKAK3nrXZP01Mc3PIXgqP0w85hIOgo3dzflPBo=;
        b=NQdcrk7KJgrIoO4agcBqeX7AFDe/IolwAuvIipBIcQWm648fzsMI7/3of9ZPLZ+ka4
         OxwxzX65RRzjR3j67vpcYxO0ypkM8Wcfrke7G7sDB27WoJ1GkEMIKmAX/KaZy2bIVQr/
         UAGCtFxFNem9Ypgj/Ek1G2sQwxScKYbJnGDJPapgVXh2wYmX6guHdREvRNCeUqYzIBVd
         58q3FCjNw++dCCagG0TseOuYbdDyk9x7rMoTD5ArN5O2Jj4ogVvlnuUThzqDL/WjfDmV
         Bc9iYAjgDifTnjJVvsD5IKfV/8oBF3IR/PcRhXSOM73+D7nphljXpE+rUi37F2iSXScP
         KCRQ==
MIME-Version: 1.0
Received: by 10.50.194.138 with SMTP id hw10mr8962939igc.11.1350910729395;
 Mon, 22 Oct 2012 05:58:49 -0700 (PDT)
Received: by 10.231.175.196 with HTTP; Mon, 22 Oct 2012 05:58:49 -0700 (PDT)
In-Reply-To: <20121022125408.GB15478@ted.stsp.name>
References: 
 <CAGiKjumzQS+JqP9iEwc1=p_y+MGpS-Dv3V6=vBwPi4tvP_dSpw@mail.gmail.com>
	<20121022125408.GB15478@ted.stsp.name>
Date: Mon, 22 Oct 2012 08:58:49 -0400
Message-ID: 
 <CAGiKju=wyja9M76FQ9QNuGTX+B10k7qAZA_YR5u+Zn=i1+fjcA@mail.gmail.com>
Subject: Re: Subversion upgrade problem
From: Parrish Knight <parrish.knight@noaa.gov>
To: users@subversion.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: 
 ALoCoQk9wIwptWlXqAl2SXXBridz5YALAispsR9GE4rdOSFSkyLY0+GqapjsjCom1PvWXqW38dJJ
X-Virus-Checked: Checked by ClamAV on apache.org

On Mon, Oct 22, 2012 at 8:54 AM, Stefan Sperling <stsp@elego.de> wrote:
> On Mon, Oct 22, 2012 at 08:43:16AM -0400, Parrish Knight wrote:
>> Good morning:
>>
>> I am the Help Desk Lead at the National Geodetic Survey, an agency of
>> NOAA, the National Oceanic and Atmospheric Administration.  Currently,
>> I am in the process of migrating one of our developers from a rather
>> aged desktop to a more modern laptop.  Part of our upgrade procedue is
>> for our security officer to scan all new seats for vulnerabilities
>> before approving them for release to the end user.  I've got a bit of
>> a puzzler regarding a vulnerability in Subversion, and I have not been
>> able to locate a remedy.  The recommended remedy is to uninstall all
>> previous versions of Subversion and install the most recent version
>> (currently 1.7.7).  I followed this procedure, but our security
>> officer reported that the problem persists.
>
> Hi,
>
> which problem do you mean exactly?

The reported problem is with earlier versions of Subversion, but our
security officer reports that the problem persists even after an
upgrade.

"Multiple integer overflows in the libsvn_delta library in Subversion
before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users
and remote Subversion servers to execute arbitrary code via an svndiff
stream with large windows that trigger a heap-based buffer overflow, a
related issue to CVE-2009-2412."

http://www.orvant.com/vuln/detail/181334/CVE-2009-2411

-- 
Parrish S. Knight
NGS Help Desk Lead
301-713-3254 x184
parrish.knight@noaa.gov