You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ko...@apache.org on 2015/12/15 16:36:45 UTC
svn commit: r1720182 - in /subversion/site/publish: doap.rdf
docs/release-notes/1.9.html docs/release-notes/release-history.html
download.html index.html news.html security/CVE-2015-5259-advisory.txt
security/CVE-2015-5343-advisory.txt security/index.html
Author: kotkov
Date: Tue Dec 15 15:36:45 2015
New Revision: 1720182
URL: http://svn.apache.org/viewvc?rev=1720182&view=rev
Log:
Update the site for 1.8.15 and 1.9.3 releases, including the security
advisories fixed by those releases.
* site/publish/doap.rdf: Update the versions.
* site/publish/docs/release-notes/release-history.html: Add Subversion 1.8.15
and 1.9.3 entries.
* site/publish/docs/release-notes/1.9.html
(no-op-changes): Adjust the state of this issue.
* site/publish/download.html: Adjust both the recommended and supported
versions and the file checksums.
* site/publish/news.html: Add news items about Subversion 1.8.15 and 1.9.3.
* site/publish/index.html: Add news items about Subversion 1.8.15 and 1.9.3.
Remove two oldest items from this page.
* site/publish/security/CVE-2015-5259-advisory.txt,
site/publish/security/CVE-2015-5343-advisory.txt: Add new files.
* site/publish/security/index.html: Append CVE-2015-5259 and CVE-2015-5343
entries.
Added:
subversion/site/publish/security/CVE-2015-5259-advisory.txt (with props)
subversion/site/publish/security/CVE-2015-5343-advisory.txt (with props)
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/1.9.html
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Tue Dec 15 15:36:45 2015
@@ -37,15 +37,15 @@
<release>
<Version>
<name>Recommended current 1.9 release</name>
- <created>2015-09-23</created>
- <revision>1.9.2</revision>
+ <created>2015-12-15</created>
+ <revision>1.9.3</revision>
</Version>
</release>
<release>
<Version>
<name>Current 1.8 release</name>
- <created>2015-08-05</created>
- <revision>1.8.14</revision>
+ <created>2015-12-15</created>
+ <revision>1.8.15</revision>
</Version>
</release>
<release>
Modified: subversion/site/publish/docs/release-notes/1.9.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/1.9.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/1.9.html (original)
+++ subversion/site/publish/docs/release-notes/1.9.html Tue Dec 15 15:36:45 2015
@@ -1441,10 +1441,6 @@ may be fixed in later 1.9.x releases.</p
<p>See <a href="https://issues.apache.org/jira/browse/SVN-4598">issue #4598 "No-op changes no longer dumped by 'svnadmin dump' in 1.9"</a>.
</p>
-<p>The impact of this change is still under discussion. A brief, initial
-description follows.
-</p>
-
<p>It has always been possible, in atypical cases, for a commit to mark a
file as 'changed' without actually changing the file's text and/or
properties to a different value. Starting from 1.9.0, <tt>svnadmin dump</tt>
@@ -1459,6 +1455,9 @@ any change in the repository for such a
no longer list the path of such a file in its list of 'changed paths'.
</p>
+<p>A fix for this problem has been included in the 1.9.3 release.
+</p>
+
</div> <!-- no-op-changes -->
<div class="h3" id="httpv1-commit-race">
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Tue Dec 15 15:36:45 2015
@@ -31,6 +31,12 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.9.3</b> (Tuesday, 15 September 2015): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.8.15</b> (Tuesday, 15 September 2015): Bugfix/security release.
+ </li>
+ <li>
<b>Subversion 1.9.2</b> (Wednesday, 23 September 2015): Bugfix release.
</li>
<li>
Modified: subversion/site/publish/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/download.html (original)
+++ subversion/site/publish/download.html Tue Dec 15 15:36:45 2015
@@ -17,8 +17,8 @@
<h1>Download Source Code</h1>
-[define version]1.9.2[end]
-[define supported]1.8.14[end]
+[define version]1.9.3[end]
+[define supported]1.8.15[end]
[define prerelease]1.9.0-rc3[end]
<div class="bigpoint">
@@ -108,17 +108,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">fb9db3b7ddf48ae37aa8785872301b59bfcc7017</td>
+ <td class="checksum">27e8df191c92095f48314a415194ec37c682cbcf</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">4c57828c07d21b4777a058f0d3dc973652d18ce9 </td>
+ <td class="checksum">b0cf8a64b1c244fcf2fa282d59ba34d7a57c3751 </td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">a295bff06f0ce9568a6b2a076df76c19af340f9a</td>
+ <td class="checksum">a3216ef4bc804926c8be5dac07c32df5ab82d38a</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -146,17 +146,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">0698efc58373e7657f6dd3ce13cab7b002ffb497</td>
+ <td class="checksum">680acf88f0db978fbbeac89ed63776d805b918ef</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">cf29fd809927727300a083f7d14028b52258a190</td>
+ <td class="checksum">2f3349d86149a8fcaa73904e57f7ecab0d071a74</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">c77992f2c574ce2ea680421e4393ae4c55857530</td>
+ <td class="checksum">1f95224bba59ff07307156c9531e0e988daddcce</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</tr>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Tue Dec 15 15:36:45 2015
@@ -64,62 +64,62 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20150923">
-<h3>2015-09-23 — Apache Subversion 1.9.2 Released
- <a class="sectionlink" href="#news-20150923"
+<div class="h3" id="news-20151215-1">
+<h3>2015-12-15 — Apache Subversion 1.9.3 Released
+ <a class="sectionlink" href="#news-20151215-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.9.2.
+<p>We are pleased to announce the release of Apache Subversion 1.9.3.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201509.mbox/%3CCAP_GPNgyXK9ZGWZ4M2t1dWBSiKEuGbuiRVGw2AF3-MpUZ%3DTRQA%40mail.gmail.com%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/date"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.2/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.3/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#recommended-release">download page</a>.</p>
-</div> <!-- #news-20150923 -->
+</div> <!-- #news-20151215-1 -->
-<div class="h3" id="news-20150902">
-<h3>2015-09-02 — Apache Subversion 1.9.1 Released
- <a class="sectionlink" href="#news-20150902"
+<div class="h3" id="news-20151215-2">
+<h3>2015-12-15 — Apache Subversion 1.8.15 Released
+ <a class="sectionlink" href="#news-20151215-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.9.1.
- This is the most complete Subversion release to date, and we encourage
+<p>We are pleased to announce the release of Apache Subversion 1.8.15.
+ This is the most complete Subversion 1.8 release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-announce/201509.mbox/%3C55E7E184.40705%40apache.org%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/date"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.1/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.15/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
- <a href="/download.cgi#recommended-release">download page</a>.</p>
+ <a href="/download.cgi#supported-releases">download page</a>.</p>
-</div> <!-- #news-20150902 -->
+</div> <!-- #news-20151215-2 -->
-<div class="h3" id="news-20150814">
-<h3>2015-08-14 — Apache Subversion 1.7.22 Released
- <a class="sectionlink" href="#news-20150814"
+<div class="h3" id="news-20150923">
+<h3>2015-09-23 — Apache Subversion 1.9.2 Released
+ <a class="sectionlink" href="#news-20150923"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.7.22.
- This is the most complete Subversion 1.7 release to date, and we encourage
+<p>We are pleased to announce the release of Apache Subversion 1.9.2.
+ This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://svn.haxx.se/dev/archive-2015-08/0098.shtml"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201509.mbox/%3CCAP_GPNgyXK9ZGWZ4M2t1dWBSiKEuGbuiRVGw2AF3-MpUZ%3DTRQA%40mail.gmail.com%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.22/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.2/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
- <a href="/download.cgi#supported-releases">download page</a>.</p>
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
-</div> <!-- #news-20150814 -->
+</div> <!-- #news-20150923 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Tue Dec 15 15:36:45 2015
@@ -22,6 +22,44 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20151215-1">
+<h3>2015-12-15 — Apache Subversion 1.9.3 Released
+ <a class="sectionlink" href="#news-20151215-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.9.3.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/date"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.3/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20151215-1 -->
+
+<div class="h3" id="news-20151215-2">
+<h3>2015-12-15 — Apache Subversion 1.8.15 Released
+ <a class="sectionlink" href="#news-20151215-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.15.
+ This is the most complete Subversion 1.8 release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/date"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.15/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20151215-2 -->
+
<div class="h3" id="news-20150923">
<h3>2015-09-23 — Apache Subversion 1.9.2 Released
<a class="sectionlink" href="#news-20150923"
Added: subversion/site/publish/security/CVE-2015-5259-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2015-5259-advisory.txt?rev=1720182&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2015-5259-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2015-5259-advisory.txt Tue Dec 15 15:36:45 2015
@@ -0,0 +1,107 @@
+ Remotely triggerable heap overflow and out-of-bounds read caused by
+ integer overflow in the svn:// protocol parser.
+
+Summary:
+========
+
+ Subversion servers and clients are vulnerable to a remotely triggerable
+ heap-based buffer overflow and out-of-bounds read caused by an integer
+ overflow in the svn:// protocol parser.
+
+ This allows remote attackers to cause a denial of service or possibly
+ execute arbitrary code under the context of the targeted process.
+
+Known vulnerable:
+=================
+
+ Subversion 1.9.0 through 1.9.2 (inclusive)
+
+ Only servers and clients using svn:// protocol are vulnerable
+ Subversion httpd servers and clients (any version) are not vulnerable
+
+Known fixed:
+============
+
+ Subversion 1.9.3
+
+Details:
+========
+
+ The svnserve svn:// protocol strings are sent as a length followed by
+ the string data. The protocol parsing logic contains a flaw that allows
+ an attacker to write memory past the end of a heap buffer with a specially
+ crafted request that causes an arithmetic overflow.
+
+ Since the flaw is in the parsing of the protocol, exploiting this
+ vulnerability against an svnserve server does not require authentication
+ from the remote attacker.
+
+ The parsing code with the flaw is shared by both the svnserve server and
+ clients using the svn://, svn+ssh:// and other tunneled svn+*:// methods.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 9
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C
+
+ We consider this to be a high risk vulnerability. An exploit exists and
+ has been tested to work against this vulnerability.
+
+ The denial of service attack is reasonably easy to carry out, while
+ exploiting the heap overflow is more difficult, depending upon how skilled
+ the attacker is and upon the specifics of the platform. We do not believe
+ the exploit is being actively used in the wild at this time.
+
+Recommendations:
+================
+
+ We recommend all users of Subversion 1.9.x to upgrade to Subversion 1.9.3.
+ Users of Subversion 1.9.x who are unable to upgrade may apply the included
+ patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No workaround is available.
+
+References:
+===========
+
+ CVE-2015-5259 (Subversion)
+
+Reported by:
+============
+
+ Ivan Zhakov, VisualSVN
+
+Patches:
+========
+
+ Patch for Subversion 1.9.2:
+
+[[[
+Index: subversion/libsvn_ra_svn/marshal.c
+===================================================================
+--- subversion/libsvn_ra_svn/marshal.c (revision 1714391)
++++ subversion/libsvn_ra_svn/marshal.c (working copy)
+@@ -944,6 +944,7 @@
+ apr_size_t len = (apr_size_t)len64;
+ apr_size_t readbuf_len;
+ char *dest;
++ apr_size_t buflen;
+
+ /* We can't store strings longer than the maximum size of apr_size_t,
+ * so check for wrapping */
+@@ -951,8 +952,9 @@
+ return svn_error_create(SVN_ERR_RA_SVN_MALFORMED_DATA, NULL,
+ _("String length larger than maximum"));
+
++ buflen = conn->read_end - conn->read_ptr;
+ /* Shorter strings can be copied directly from the read buffer. */
+- if (conn->read_ptr + len <= conn->read_end)
++ if (len <= buflen)
+ {
+ item->kind = SVN_RA_SVN_STRING;
+ item->u.string = svn_string_ncreate(conn->read_ptr, len, pool);
+]]]
Propchange: subversion/site/publish/security/CVE-2015-5259-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Added: subversion/site/publish/security/CVE-2015-5343-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2015-5343-advisory.txt?rev=1720182&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2015-5343-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2015-5343-advisory.txt Tue Dec 15 15:36:45 2015
@@ -0,0 +1,145 @@
+ Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn
+ caused by integer overflow when parsing skel-encoded request bodies.
+
+Summary:
+========
+
+ Subversion's httpd servers are vulnerable to a remotely triggerable
+ heap-based buffer overflow and out-of-bounds read caused by an integer
+ overflow when parsing skel-encoded request bodies.
+
+ This allows remote attackers with write access to a repository to cause
+ a denial of service or possibly execute arbitrary code under the context
+ of the httpd process. 32-bit server versions are vulnerable to both the
+ denial-of-service attack and possible arbitrary code execution. 64-bit
+ server versions are only vulnerable to the denial-of-service attack.
+
+Known vulnerable:
+=================
+
+ Subversion httpd servers 1.7.0 to 1.8.14 (inclusive)
+ Subversion httpd servers 1.9.0 through 1.9.2 (inclusive)
+
+ Subversion svnserve servers (any version) are not vulnerable
+
+Known fixed:
+============
+
+ Subversion 1.8.15
+ Subversion 1.9.3
+
+Details:
+========
+
+ The Subversion http://-based protocol used for communicating with
+ a Subversion mod_dav_svn server has two versions, v1 and v2. The v2
+ protocol was added in Subversion 1.7.0. As a part of the commit happening
+ over v2 protocol, the client sends a POST request with the request body
+ containing data encoded in a special `skeleton' (or `skel') format.
+
+ The parser of skel-encoded request bodies in mod_dav_svn contains a flaw
+ that allows the attacker to write memory past the end of a heap buffer
+ with a specially crafted request that causes an arithmetic overflow in
+ 32-bit server versions. 64-bit server versions are not vulnerable to
+ the heap-based buffer overflow, but can be forced into allocating huge
+ amounts of memory, thus, the successful attack on them would cause
+ denial-of-service conditions.
+
+ Exploiting this vulnerability requires the attacker to be authenticated
+ and to have write access to a repository on the targeted server.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 4.6
+ CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P
+
+ We consider this to be a medium risk vulnerability. In order to take
+ advantage of this attack the attacker would require write access to the
+ repository. Most configurations require authentication to commit changes
+ and so anonymous users would not be able to use this attack in these cases.
+
+ With the write access, the denial of service attack is reasonably easy
+ to carry out, while exploiting the heap overflow is more difficult,
+ depending upon how skilled the attacker is and upon the specifics of
+ the platform.
+
+ In case of the denial of service attack, a remote attacker may be able
+ to crash a Subversion server. Many Apache servers will respawn the
+ listener processes, but a determined attacker will be able to crash
+ these processes as they appear, denying service to legitimate users.
+ Servers using threaded MPMs will close the connection on other clients
+ being served by the same process that services the request from the
+ attacker. In either case there is an increased processing impact of
+ restarting a process and the cost of per process caches being lost.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.9.3. Users of
+ Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No workaround is available.
+
+References:
+===========
+
+ CVE-2015-5343 (Subversion)
+
+Reported by:
+============
+
+ Ivan Zhakov, VisualSVN
+
+Patches:
+========
+
+ Patch for Subversion 1.8.14:
+
+[[[
+Index: subversion/mod_dav_svn/util.c
+===================================================================
+--- subversion/mod_dav_svn/util.c (revision 1714525)
++++ subversion/mod_dav_svn/util.c (working copy)
+@@ -778,7 +778,12 @@
+
+ if (content_length)
+ {
+- buf = svn_stringbuf_create_ensure(content_length, pool);
++ /* Do not allocate more than 1 MB until we receive request body. */
++ apr_size_t alloc_len = 1 * 1024 *1024;
++ if (content_length < alloc_len)
++ alloc_len = (apr_size_t) content_length;
++
++ buf = svn_stringbuf_create_ensure(alloc_len, pool);
+ }
+ else
+ {
+]]]
+
+ Patch for Subversion 1.9.2:
+
+[[[
+Index: subversion/mod_dav_svn/util.c
+===================================================================
+--- subversion/mod_dav_svn/util.c (revision 1714391)
++++ subversion/mod_dav_svn/util.c (working copy)
+@@ -775,7 +775,12 @@
+
+ if (content_length)
+ {
+- buf = svn_stringbuf_create_ensure(content_length, pool);
++ /* Do not allocate more than 1 MB until we receive request body. */
++ apr_size_t alloc_len = 1 * 1024 *1024;
++ if (content_length < alloc_len)
++ alloc_len = (apr_size_t) content_length;
++
++ buf = svn_stringbuf_create_ensure(alloc_len, pool);
+ }
+ else
+ {
+]]]
Propchange: subversion/site/publish/security/CVE-2015-5343-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1720182&r1=1720181&r2=1720182&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Tue Dec 15 15:36:45 2015
@@ -245,6 +245,18 @@ some mixed anonymous/authenticated envir
<td>Subversion servers, both httpd and svnserve, will reveal some paths that
should be hidden by path-based authz.</td>
</tr>
+<tr>
+<td><a href="CVE-2015-5259-advisory.txt">CVE-2015-5259-advisory.txt</a></td>
+<td>1.9.0-1.9.2</td>
+<td>Remotely triggerable heap overflow and out-of-bounds read caused by
+integer overflow in the svn:// protocol parser.</td>
+</tr>
+<tr>
+<td><a href="CVE-2015-5343-advisory.txt">CVE-2015-5343-advisory.txt</a></td>
+<td>1.7.0-1.8.14 and 1.9.0-1.9.2</td>
+<td>Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn
+caused by integer overflow when parsing skel-encoded request bodies.</td>
+</tr>
</tbody>
</table>