You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Hyrum K. Wright" <hy...@hyrumwright.org> on 2009/08/06 20:00:05 UTC
Subversion 1.6.4 Released
Subversion 1.6.4 has been released, available from:
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.bz2
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.gz
http://subversion.tigris.org/downloads/subversion-1.6.4.zip
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.bz2
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.gz
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.zip
THIS IS A SECURITY RELEASE, addressing the issue described at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2411
The CVE page may not be public yet when you read this, but will be soon.
The full text of the advisory is available at:
http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
This security issue affects both clients and servers. Clients with commit
access to a vulnerable server can cause a remote heap overflow. Servers
can cause a heap overflow on vulnerable clients that try to do a checkout
or update. Subversion 1.6.4 differs from 1.6.4 only in the fix for this
issue. Upgrading to Subversion 1.6.4 (or Subversion 1.5.7, released
simultaneously) is therefore strongly recommended for Subversion client
and server installations on all platforms.
The MD5 checksums are:
11e3fa838c9a558cadc378f2807572e2 subversion-1.6.4.tar.bz2
9649be6c47b7d915dce75a1198900c25 subversion-1.6.4.tar.gz
7bedf685657c8a23d63760b60c58483e subversion-1.6.4.zip
026b5f5bd548d17368cd3dfd2965e0d3 subversion-deps-1.6.4.tar.bz2
a64c7979a7d9cd30f2a5159b5f5a5e6e subversion-deps-1.6.4.tar.gz
73453a5c0bf1c7d4369c0bef29eddb69 subversion-deps-1.6.4.zip
The SHA1 checksums are:
d043afc479ad985b23abe80e940729b99d4eb3c4 subversion-1.6.4.tar.bz2
0380c01229e5faa2f77236d0316abda292822303 subversion-1.6.4.tar.gz
3abec05e69ca092f0e608cf304aaf8ae2c7383a7 subversion-1.6.4.zip
2f3e30b0c7e1f735aee6f37dc15fbabfad5815db subversion-deps-1.6.4.tar.bz2
71afc9e85f3d7f26a896662f5ca85adf046855d3 subversion-deps-1.6.4.tar.gz
4c7880a69c21c964200646808994ae0bd9e03040 subversion-deps-1.6.4.zip
PGP Signatures are available at:
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.bz2.asc
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.gz.asc
http://subversion.tigris.org/downloads/subversion-1.6.4.zip.asc
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.bz2.asc
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.gz.asc
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.zip.asc
For this release, the following people have provided PGP signatures:
Senthil Kumaran S [1024D/6CCD4038] with fingerprint:
8035 16A5 1D6E 50E2 1ECD DE56 F68D 46FB 6CCD 4038
C. Michael Pilato [1024D/1706FD6E] with fingerprint:
20BF 14DC F02F 2730 7EA4 C7BB A241 06A9 1706 FD6E
Paul T. Burba [1024D/53FCDC55] with fingerprint:
E630 CF54 792C F913 B13C 32C5 D916 8930 53FC DC55
Bert Huijben [1024D/9821F7B2] with fingerprint:
2017 F51A 2572 0E78 8827 5329 FCFD 6305 9821 F7B2
Hyrum K. Wright [1024D/4E24517C] with fingerprint:
3324 80DA 0F8C A37D AEE6 D084 0B03 AE6E 4E24 517C
Stefan Sperling [1024D/F59D25F0] with fingerprint:
B1CF 1060 A1E9 34D1 9E86 D6D6 E5D3 0273 F59D 25F0
Ivan Zhakov [1024D/C4F3A281] with fingerprint:
9D3C 5860 6A64 74BF 591D F3A1 F60D 1980 C4F3 A281
Release notes for the 1.6.x release series may be found at:
http://subversion.tigris.org/svn_1.6_releasenotes.html
You can find the list of changes between 1.6.4 and earlier versions at:
http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES
Questions, comments, and bug reports to users@subversion.tigris.org.
Thanks,
- The Subversion Team
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2381021
Re: Subversion 1.6.4 Released
Posted by Alec Kloss <al...@oracle.com>.
On 2009-08-06 15:00, Hyrum K. Wright wrote:
> Subversion 1.6.4 has been released, available from:
>
[chop]
Has someone written a test tool to detect unpatched Subversion servers,
and if so, will it be made publicly available?
--
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Re: Subversion 1.6.4 Released
Posted by Alec Kloss <al...@oracle.com>.
accept
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2381257
Re: Subversion 1.6.4 Released
Posted by Stefan Sperling <st...@elego.de>.
On Thu, Aug 06, 2009 at 03:00:05PM -0500, Hyrum K. Wright wrote:
> Subversion 1.6.4 has been released, available from:
>
> http://subversion.tigris.org/downloads/subversion-1.6.4.tar.bz2
> http://subversion.tigris.org/downloads/subversion-1.6.4.tar.gz
> http://subversion.tigris.org/downloads/subversion-1.6.4.zip
> http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.bz2
> http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.gz
> http://subversion.tigris.org/downloads/subversion-deps-1.6.4.zip
>
> THIS IS A SECURITY RELEASE, addressing the issue described at:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2411
>
> The CVE page may not be public yet when you read this, but will be soon.
> The full text of the advisory is available at:
>
> http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
Please note that due to human error an outdated version of the
advisory was published on the website shortly after this announcement.
This outdated version contained an incorrect patch and was present
on the site for about half an hour.
If you got the patch from the advisory shortly after the announcement,
please check the advisory again now to see if you really got the
correct patch.
Alternatively, get the release tarballs, which have always contained
the correct patch.
Stefan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2381100