You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2014/12/15 22:17:13 UTC
svn commit: r1645754 - in /subversion/site/publish: doap.rdf
docs/release-notes/release-history.html download/download.html index.html
news.html security/CVE-2014-3580-advisory.txt
security/CVE-2014-8108-advisory.txt security/index.html
Author: breser
Date: Mon Dec 15 21:17:13 2014
New Revision: 1645754
URL: http://svn.apache.org/r1645754
Log:
Update website for 1.7.19 and 1.8.11 releases.
Added:
subversion/site/publish/security/CVE-2014-3580-advisory.txt (with props)
subversion/site/publish/security/CVE-2014-8108-advisory.txt (with props)
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Mon Dec 15 21:17:13 2014
@@ -37,15 +37,15 @@
<release>
<Version>
<name>Recommended current 1.8 release</name>
- <created>2014-08-11</created>
- <revision>1.8.10</revision>
+ <created>2014-12-15</created>
+ <revision>1.8.11</revision>
</Version>
</release>
<release>
<Version>
<name>Current 1.7 release</name>
- <created>2014-08-11</created>
- <revision>1.7.18</revision>
+ <created>2014-12-15</created>
+ <revision>1.7.19</revision>
</Version>
</release>
<repository>
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Mon Dec 15 21:17:13 2014
@@ -31,6 +31,12 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.8.11</b> (Monday, 15 December 2014): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.7.19</b> (Monday, 15 December 2014): Bugfix/security release.
+ </li>
+ <li>
<b>Subversion 1.8.10</b> (Monday, 11 August 2014): Bugfix/security release.
</li>
<li>
Modified: subversion/site/publish/download/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.html?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/download/download.html (original)
+++ subversion/site/publish/download/download.html Mon Dec 15 21:17:13 2014
@@ -1,7 +1,7 @@
<h1>Download Source Code</h1>
-[define version]1.8.10[end]
-[define supported]1.7.18[end]
+[define version]1.8.11[end]
+[define supported]1.7.19[end]
[define prerelease]1.9.0-alpha2[end]
<div class="bigpoint">
@@ -91,17 +91,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">d6896d94bb53c1b4c6e9c5bb1a5c466477b19b2b</td>
+ <td class="checksum">161edaee328f4fdcfd2a7c10ecd3fbcd51c61275</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">8e1e1e5fd97c3f575a81d66232c62dc902257a17</td>
+ <td class="checksum">2fe09670b21fcd7e083b10f088dedcd3252e8e16</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">963637c9aac7f50b1b8d10a8918c57a88fb6844d</td>
+ <td class="checksum">bb43d38c98d6c84197ec71d1bf4f03c6bf38d14c</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -129,17 +129,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">56bd2b413950c916642bb4c280690da875d3c745</td>
+ <td class="checksum">a662721a3a1da70c4b0732d0bde5008ce8873575</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">96873512eeb196e5ba6435fbffb24ba284bfcf84</td>
+ <td class="checksum">bb3cd135bbd856e7f0f2d59313f075b9bbec9848</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">09fa636f2c59a5a4bc965def814645a2841e1b91</td>
+ <td class="checksum">3681b967d1c154b2aa4ccb63984d89aedafc488b</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</tr>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Mon Dec 15 21:17:13 2014
@@ -64,44 +64,44 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20140811-1">
-<h3>2014-08-11 — Apache Subversion 1.8.10 Released
- <a class="sectionlink" href="#news-20140811-1"
+<div class="h3" id="news-20141215-1">
+<h3>2014-12-15 — Apache Subversion 1.8.11 Released
+ <a class="sectionlink" href="#news-20141215-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.10.
+<p>We are pleased to announce the release of Apache Subversion 1.8.11.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E"
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.11/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#recommended-release">download page</a>.</p>
+ <a href="/download/update=201412151630#recommended-release">download page</a>.</p>
-</div> <!-- #news-20140811-1 -->
+</div> <!-- #news-20141215-1 -->
-<div class="h3" id="news-20140811-2">
-<h3>2014-08-11 — Apache Subversion 1.7.18 Released
- <a class="sectionlink" href="#news-20140811-2"
+<div class="h3" id="news-20140815-2">
+<h3>2014-12-15 — Apache Subversion 1.7.19 Released
+ <a class="sectionlink" href="#news-20141215-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.7.18.
+<p>We are pleased to announce the release of Apache Subversion 1.7.19.
This is the most complete Subversion release in the 1.7 series to date,
and we encourage users of Subversion to upgrade as soon as reasonable.
Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6B7.3010503@apache.org%3E"
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EEB.7030601@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.18/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.19/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#supported-releases">download page</a>.</p>
+ <a href="/download/?update=201412151630#supported-releases">download page</a>.</p>
-</div> <!-- #news-20140811-2 -->
+</div> <!-- #news-20141215-2 -->
<div class="h3" id="news-20140414">
<h3>2014-04-14 — Apache Subversion 1.9.0-alpha2 Released
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Mon Dec 15 21:17:13 2014
@@ -22,6 +22,45 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20141215-1">
+<h3>2014-12-15 — Apache Subversion 1.8.11 Released
+ <a class="sectionlink" href="#news-20141215-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.11.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.11/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/update=201412151630#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20141215-1 -->
+
+<div class="h3" id="news-20140815-2">
+<h3>2014-12-15 — Apache Subversion 1.7.19 Released
+ <a class="sectionlink" href="#news-20141215-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.7.19.
+ This is the most complete Subversion release in the 1.7 series to date,
+ and we encourage users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EEB.7030601@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.19/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/?update=201412151630#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20141215-2 -->
+
<div class="h3" id="news-20140811-1">
<h3>2014-08-11 — Apache Subversion 1.8.10 Released
<a class="sectionlink" href="#news-20140811-1"
Added: subversion/site/publish/security/CVE-2014-3580-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2014-3580-advisory.txt?rev=1645754&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2014-3580-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2014-3580-advisory.txt Mon Dec 15 21:17:13 2014
@@ -0,0 +1,270 @@
+ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS
+ vulnerability with certain invalid REPORT requests.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn Apache HTTPD server module will crash when it
+ receives a REPORT request for some invalid formatted special URIs.
+
+ This can lead to a DoS. There are no known instances of this problem
+ being exploited in the wild.
+
+Known vulnerable:
+=================
+
+ Subversion HTTPD servers 1.0.0 through 1.7.18 (inclusive)
+ Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive)
+
+Known fixed:
+============
+
+ Subversion 1.7.19
+ Subversion 1.8.11
+
+Details:
+========
+
+ Subversion's HTTP support is implemented as an interaction between mod_dav
+ and mod_dav_svn. mod_dav asks mod_dav_svn to fill a resource struct when
+ a request is made. When the resource doesn't exist in the repository the
+ repository path is calculated as a NULL. Later mod_dav calls into
+ mod_dav_svn to actually handle the request and Subversion attempts to
+ use the repostiory path which is NULL, resulting in the SEGFAULT.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 5.0
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
+
+ We consider this to be a medium risk vulnerability. Repositories which
+ allow for anonymous reads will be vulnerable without authentication.
+ Unfortunately, no special configuration is required and all mod_dav_svn
+ servers are vulnerable.
+
+ A remote attacker may be able to crash a Subversion server. Many Apache
+ servers will respawn the listener processes, but a determined attacker
+ will be able to crash these processes as they appear, denying service to
+ legitimate users. Servers using threaded MPMs will close the connection
+ on other clients being served by the same process that services the
+ request from the attacker. In either case there is an increased
+ processing impact of restarting a process and the cost of per process
+ caches being lost.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.11. Users of
+ Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No known workarounds are available.
+
+References:
+===========
+
+ CVE-2014-3580 (Subversion)
+
+Reported by:
+============
+
+ Evgeny Kotkov, VisualSVN
+
+Patches:
+========
+
+ Patch against 1.7.18:
+
+[[[
+Index: subversion/mod_dav_svn/reports/deleted-rev.c
+===================================================================
+--- subversion/mod_dav_svn/reports/deleted-rev.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/deleted-rev.c (working copy)
+@@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const dav_resource
+ dav_error *derr = NULL;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+Index: subversion/mod_dav_svn/reports/file-revs.c
+===================================================================
+--- subversion/mod_dav_svn/reports/file-revs.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/file-revs.c (working copy)
+@@ -251,6 +251,9 @@ dav_svn__file_revs_report(const dav_resource *reso
+ arb.repos = resource->info->repos;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ /* ### This is done on other places, but the document element is
+ in this namespace, so is this necessary at all? */
+Index: subversion/mod_dav_svn/reports/get-location-segments.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy)
+@@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(const dav_re
+ struct location_segment_baton location_segment_baton;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/get-locations.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-locations.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/get-locations.c (working copy)
+@@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_resource *
+ sizeof(svn_revnum_t));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/log.c
+===================================================================
+--- subversion/mod_dav_svn/reports/log.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/log.c (working copy)
+@@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource *resource,
+ = apr_array_make(resource->pool, 1, sizeof(const char *));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/mergeinfo.c
+===================================================================
+--- subversion/mod_dav_svn/reports/mergeinfo.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/mergeinfo.c (working copy)
+@@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_resource *
+ = apr_array_make(resource->pool, 0, sizeof(const char *));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+]]]
+
+ Patch against 1.8.10:
+
+[[[
+Index: subversion/mod_dav_svn/reports/deleted-rev.c
+===================================================================
+--- subversion/mod_dav_svn/reports/deleted-rev.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/deleted-rev.c (working copy)
+@@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const dav_resource
+ dav_error *derr = NULL;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+Index: subversion/mod_dav_svn/reports/file-revs.c
+===================================================================
+--- subversion/mod_dav_svn/reports/file-revs.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/file-revs.c (working copy)
+@@ -254,6 +254,9 @@ dav_svn__file_revs_report(const dav_resource *reso
+ arb.repos = resource->info->repos;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ /* ### This is done on other places, but the document element is
+ in this namespace, so is this necessary at all? */
+Index: subversion/mod_dav_svn/reports/get-location-segments.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy)
+@@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(const dav_re
+ struct location_segment_baton location_segment_baton;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/get-locations.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-locations.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/get-locations.c (working copy)
+@@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_resource *
+ sizeof(svn_revnum_t));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/inherited-props.c
+===================================================================
+--- subversion/mod_dav_svn/reports/inherited-props.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/inherited-props.c (working copy)
+@@ -63,6 +63,9 @@ dav_svn__get_inherited_props_report(const dav_reso
+ apr_pool_t *iterpool;
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/log.c
+===================================================================
+--- subversion/mod_dav_svn/reports/log.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/log.c (working copy)
+@@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource *resource,
+ = apr_array_make(resource->pool, 1, sizeof(const char *));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+Index: subversion/mod_dav_svn/reports/mergeinfo.c
+===================================================================
+--- subversion/mod_dav_svn/reports/mergeinfo.c (revision 1624477)
++++ subversion/mod_dav_svn/reports/mergeinfo.c (working copy)
+@@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_resource *
+ = apr_array_make(resource->pool, 0, sizeof(const char *));
+
+ /* Sanity check. */
++ if (!resource->info->repos_path)
++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++ "The request does not specify a repository path");
+ ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+ if (ns == -1)
+ {
+]]]
Propchange: subversion/site/publish/security/CVE-2014-3580-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/site/publish/security/CVE-2014-3580-advisory.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: subversion/site/publish/security/CVE-2014-8108-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2014-8108-advisory.txt?rev=1645754&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2014-8108-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2014-8108-advisory.txt Mon Dec 15 21:17:13 2014
@@ -0,0 +1,200 @@
+ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS
+ vulnerability for requests with no existant virtual transaction names.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn Apache HTTPD server module will crash when it
+ receives a request for some invalid formatted special URIs.
+
+ This can lead to a DoS. There are no known instances of this problem
+ being exploited in the wild.
+
+Known vulnerable:
+=================
+
+ Subversion HTTPD servers 1.7.0 through 1.7.18 (inclusive)
+ Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive)
+
+Known fixed:
+============
+
+ Subversion 1.7.19
+ Subversion 1.8.11
+
+Details:
+========
+
+ Subversion 1.7.0 and newer added new protocol variant to the HTTP support.
+ One of the changes in this new protocol was that the client no longer had
+ to generate the UUID by which transactions would be referred to. However,
+ there were circumstances where clients needed to provide their own names for
+ transactions and so it has support for virtual transaction names. These
+ transaction names are then mapped to the servers internal transaction id
+ much as was done in the old protocol. New special URIs were provided to
+ allow the client to access the transactions by these virtual transaction
+ names.
+
+ Making a request for a URI that refers to a non-existant virtual transaction
+ name results in the lookup for the internal transaction id to be NULL.
+ Subsequent uses of the transaction id do not properly validate that the
+ id is valid and result in a SEGFAULT.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 5.0
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
+
+ We consider this to be a medium risk vulnerability. Repositories which
+ allow for anonymous reads will be vulnerable without authentication.
+ Unfortunately, no special configuration is required and all mod_dav_svn
+ servers that support the new protocol variant are vulnerable.
+
+ A remote attacker may be able to crash a Subversion server. Many Apache
+ servers will respawn the listener processes, but a determined attacker
+ will be able to crash these processes as they appear, denying service to
+ legitimate users. Servers using threaded MPMs will close the connection
+ on other clients being served by the same process that services the
+ request from the attacker. In either case there is an increased
+ processing impact of restarting a process and the cost of per process
+ caches being lost.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.11. Users of
+ Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No known workarounds are available.
+
+References:
+===========
+
+ CVE-2014-8108 (Subversion)
+
+Reported by:
+============
+
+ Evgeny Kotkov, VisualSVN
+
+Patches:
+========
+
+ Patch against 1.7.18:
+
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c (revision 1624477)
++++ subversion/mod_dav_svn/repos.c (working copy)
+@@ -506,6 +506,9 @@ parse_vtxnstub_uri(dav_resource_combined *comb,
+ if (parse_txnstub_uri(comb, path, label, use_checked_in))
+ return TRUE;
+
++ if (!comb->priv.root.txn_name)
++ return TRUE;
++
+ comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+ comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.vtxn_name);
+@@ -574,6 +577,9 @@ parse_vtxnroot_uri(dav_resource_combined *comb,
+ if (parse_txnroot_uri(comb, path, label, use_checked_in))
+ return TRUE;
+
++ if (!comb->priv.root.txn_name)
++ return TRUE;
++
+ comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+ comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.vtxn_name);
+@@ -919,6 +925,10 @@ prep_working(dav_resource_combined *comb)
+ point. */
+ if (txn_name == NULL)
+ {
++ if (!comb->priv.root.activity_id)
++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++ "The request did not specify an activity ID");
++
+ txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.activity_id);
+ if (txn_name == NULL)
+@@ -1029,9 +1039,14 @@ prep_working(dav_resource_combined *comb)
+ static dav_error *
+ prep_activity(dav_resource_combined *comb)
+ {
+- const char *txn_name = dav_svn__get_txn(comb->priv.repos,
+- comb->priv.root.activity_id);
++ const char *txn_name;
+
++ if (!comb->priv.root.activity_id)
++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++ "The request did not specify an activity ID");
++
++ txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id);
++
+ comb->priv.root.txn_name = txn_name;
+ comb->res.exists = txn_name != NULL;
+
+]]]
+
+ Patch against 1.8.10:
+
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c (revision 1624477)
++++ subversion/mod_dav_svn/repos.c (working copy)
+@@ -508,6 +508,9 @@ parse_vtxnstub_uri(dav_resource_combined *comb,
+ if (parse_txnstub_uri(comb, path, label, use_checked_in))
+ return TRUE;
+
++ if (!comb->priv.root.txn_name)
++ return TRUE;
++
+ comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+ comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.vtxn_name);
+@@ -576,6 +579,9 @@ parse_vtxnroot_uri(dav_resource_combined *comb,
+ if (parse_txnroot_uri(comb, path, label, use_checked_in))
+ return TRUE;
+
++ if (!comb->priv.root.txn_name)
++ return TRUE;
++
+ comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+ comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.vtxn_name);
+@@ -921,6 +927,10 @@ prep_working(dav_resource_combined *comb)
+ point. */
+ if (txn_name == NULL)
+ {
++ if (!comb->priv.root.activity_id)
++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++ "The request did not specify an activity ID");
++
+ txn_name = dav_svn__get_txn(comb->priv.repos,
+ comb->priv.root.activity_id);
+ if (txn_name == NULL)
+@@ -1031,9 +1041,14 @@ prep_working(dav_resource_combined *comb)
+ static dav_error *
+ prep_activity(dav_resource_combined *comb)
+ {
+- const char *txn_name = dav_svn__get_txn(comb->priv.repos,
+- comb->priv.root.activity_id);
++ const char *txn_name;
+
++ if (!comb->priv.root.activity_id)
++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++ "The request did not specify an activity ID");
++
++ txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id);
++
+ comb->priv.root.txn_name = txn_name;
+ comb->res.exists = txn_name != NULL;
+
+]]]
Propchange: subversion/site/publish/security/CVE-2014-8108-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/site/publish/security/CVE-2014-8108-advisory.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1645754&r1=1645753&r2=1645754&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Mon Dec 15 21:17:13 2014
@@ -205,6 +205,16 @@ Subversion project.</p>
<td>1.0.0-1.7.17 and 1.8.0-1.8.9</td>
<td>credentials cached with svn may be sent to wrong server</td>
</tr>
+<tr>
+<td><a href="CVE-2014-3580-advisory.txt">CVE-2014-3580-advisory.txt</a></td>
+<td>1.0.0-1.7.18 and 1.8.0-1.8.10</td>
+<td>mod_dav_svn DoS vulnerability with invalid REPORT requests</td>
+</tr>
+<tr>
+<td><a href="CVE-2014-8108-advisory.txt">CVE-2014-8108-advisory.txt</a></td>
+<td>1.7.0-1.7.18 and 1.8.0-1.8.10</td>
+<td>mod_dav_svn DoS vulnerability with invalid virtual transaction names</td>
+</tr>
</tbody>
</table>