Subversion 1.6.21 released

[Ben Reser <br...@apache.org>]

I'm happy to announce the release of Subversion 1.6.21.
Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download/#supported-releases

This release addesses four security issues:
    CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
    CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
    CVE-2013-1847: mod_dav_svn crashes on LOCK requests against
non-existant URLs
    CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against
activity URLs

More information on these vulnerabilities, including the relevent advisories
and potential attack vectors and workarounds, can be found on the Subversion
security website:
    http://subversion.apache.org/security/

The SHA1 checksums are:

    bb7c4692216adf0eab89cd3e5d58bbc5908b639c subversion-1.6.21.tar.gz
    44dfcd5ffb8f09bce1c04f93250ef171f43a6b29 subversion-1.6.21.zip
    c62b0f9c4dff7202bd5e00876135557b5f5b5f55 subversion-1.6.21.tar.bz2

PGP Signatures are available at:

    http://subversion.tigris.org/downloads/subversion-1.6.21.tar.bz2.asc
    http://subversion.tigris.org/downloads/subversion-1.6.21.tar.gz.asc
    http://subversion.tigris.org/downloads/subversion-1.6.21.zip.asc

For this release, the following people have provided PGP signatures:

   Ben Reser [4096R/16A0DE01] with fingerprint:
    19BB CAEF 7B19 B280 A0E2  175E 62D4 8FAD 16A0 DE01
   C. Michael Pilato [4096R/FE681333] with fingerprint:
    753B 2F9D F717 FA23 A43E  E7C3 F5E0 F001 FE68 1333
   Johan Corveleyn [4096R/010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Mark Phippard [1024D/035A96A9] with fingerprint:
    D315 89DB E1C1 E9BA D218  39FD 265D F8A0 035A 96A9
   Paul T. Burba [4096R/56F3D7BC] with fingerprint:
    1A0F E7C6 B3C5 F8D4 D0C4  A20B 64DD C071 56F3 D7BC
   Philip Martin [2048R/ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C
   Stefan Sperling [2048R/9A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973

Release notes for the 1.6.x release series may be found at:

    http://subversion.apache.org/docs/release-notes/1.6.html

You can find the list of changes between 1.6.21 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.6.21/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team

Re: Subversion 1.6.21 released

[Daniel Shahaf <da...@elego.de>]

Ben Reser wrote on Sun, Apr 07, 2013 at 22:34:19 -0700:
> On Sun, Apr 7, 2013 at 8:36 AM, Daniel Shahaf <da...@elego.de> wrote:
> > Nico Kadel-Garcia wrote on Sun, Apr 07, 2013 at 09:37:48 -0400:
> >> Minor changes include the recent discard of support for RHEL 4 in the
> >> subverson-1.7.x build structure, and switching from using "autogen.sh" to
> >> simply "aclocal" and "autoconf" instead of building a custom backported
> >> Python locally on older systems, just to get the ./configure to work.
> >
> > Couldn't you just use the 'configure' script in the tarball?  If you do
> > that, neither autoconf nor python is required.
> 
> He can't because he's patching things that go into configure.  If you
> follow his links you can see the patches that are being included.
> Some of them probably should be made on our side.  But that doesn't
> happen if nobody submits them.

s/doesn't/can't/, according to (oral?) ASF policy...

Re: Subversion 1.6.21 released

[Ben Reser <be...@reser.org>]

On Sun, Apr 7, 2013 at 8:36 AM, Daniel Shahaf <da...@elego.de> wrote:
> Nico Kadel-Garcia wrote on Sun, Apr 07, 2013 at 09:37:48 -0400:
>> Minor changes include the recent discard of support for RHEL 4 in the
>> subverson-1.7.x build structure, and switching from using "autogen.sh" to
>> simply "aclocal" and "autoconf" instead of building a custom backported
>> Python locally on older systems, just to get the ./configure to work.
>
> Couldn't you just use the 'configure' script in the tarball?  If you do
> that, neither autoconf nor python is required.

He can't because he's patching things that go into configure.  If you
follow his links you can see the patches that are being included.
Some of them probably should be made on our side.  But that doesn't
happen if nobody submits them.

Re: Subversion 1.6.21 released

[Daniel Shahaf <da...@elego.de>]

Nico Kadel-Garcia wrote on Sun, Apr 07, 2013 at 09:37:48 -0400:
> My SRPM building tools have been updated to match, at:
>  https://github.com/nkadel/subversion-1.6.21-srpm
> and
>  https://github.com/nkadel/subversion-1.7.9-srpm
> 
> Minor changes include the recent discard of support for RHEL 4 in the
> subverson-1.7.x build structure, and switching from using "autogen.sh" to
> simply "aclocal" and "autoconf" instead of building a custom backported
> Python locally on older systems, just to get the ./configure to work.

Couldn't you just use the 'configure' script in the tarball?  If you do
that, neither autoconf nor python is required.

Re: Subversion 1.6.21 released

[Nico Kadel-Garcia <nk...@gmail.com>]

My SRPM building tools have been updated to match, at:
 https://github.com/nkadel/subversion-1.6.21-srpm
and
 https://github.com/nkadel/subversion-1.7.9-srpm

Minor changes include the recent discard of support for RHEL 4 in the
subverson-1.7.x build structure, and switching from using "autogen.sh" to
simply "aclocal" and "autoconf" instead of building a custom backported
Python locally on older systems, just to get the ./configure to work.

Re: Subversion 1.6.21 released

[Nico Kadel-Garcia <nk...@gmail.com>]

My SRPM building tools have been updated to match, at:
 https://github.com/nkadel/subversion-1.6.21-srpm
and
 https://github.com/nkadel/subversion-1.7.9-srpm

Minor changes include the recent discard of support for RHEL 4 in the
subverson-1.7.x build structure, and switching from using "autogen.sh" to
simply "aclocal" and "autoconf" instead of building a custom backported
Python locally on older systems, just to get the ./configure to work.