You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ko...@apache.org on 2016/04/28 16:59:39 UTC
svn commit: r1741442 - in /subversion/site/publish: doap.rdf
docs/release-notes/release-history.html download.html index.html news.html
security/CVE-2016-2167-advisory.txt security/CVE-2016-2168-advisory.txt
security/index.html
Author: kotkov
Date: Thu Apr 28 14:59:38 2016
New Revision: 1741442
URL: http://svn.apache.org/viewvc?rev=1741442&view=rev
Log:
Update the site for 1.8.16 and 1.9.4 releases, including the security
advisories fixed by those releases.
* site/publish/doap.rdf: Update the versions.
* site/publish/docs/release-notes/release-history.html: Add Subversion 1.8.16
and 1.9.4 entries.
* site/publish/download.html: Adjust both the recommended and supported
versions and the file checksums.
* site/publish/news.html: Add news items about Subversion 1.8.16 and 1.9.4.
* site/publish/index.html: Add news items about Subversion 1.8.16 and 1.9.4.
Remove two oldest items from this page.
* site/publish/security/CVE-2016-2167-advisory.txt,
site/publish/security/CVE-2016-2168-advisory.txt: Add new files.
* site/publish/security/index.html: Append CVE-2016-2167 and CVE-2016-2168
entries.
Added:
subversion/site/publish/security/CVE-2016-2167-advisory.txt (with props)
subversion/site/publish/security/CVE-2016-2168-advisory.txt (with props)
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Thu Apr 28 14:59:38 2016
@@ -37,15 +37,15 @@
<release>
<Version>
<name>Recommended current 1.9 release</name>
- <created>2015-12-15</created>
- <revision>1.9.3</revision>
+ <created>2016-04-28</created>
+ <revision>1.9.4</revision>
</Version>
</release>
<release>
<Version>
<name>Current 1.8 release</name>
- <created>2015-12-15</created>
- <revision>1.8.15</revision>
+ <created>2016-04-28</created>
+ <revision>1.8.16</revision>
</Version>
</release>
<release>
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Thu Apr 28 14:59:38 2016
@@ -31,6 +31,12 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.9.4</b> (Thursday, 28 April 2016): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.8.16</b> (Thursday, 28 April 2016): Bugfix/security release.
+ </li>
+ <li>
<b>Subversion 1.9.3</b> (Tuesday, 15 September 2015): Bugfix/security release.
</li>
<li>
Modified: subversion/site/publish/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download.html?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/download.html (original)
+++ subversion/site/publish/download.html Thu Apr 28 14:59:38 2016
@@ -17,8 +17,8 @@
<h1>Download Source Code</h1>
-[define version]1.9.3[end]
-[define supported]1.8.15[end]
+[define version]1.9.4[end]
+[define supported]1.8.16[end]
[define prerelease]1.9.0-rc3[end]
<div class="bigpoint">
@@ -108,17 +108,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">27e8df191c92095f48314a415194ec37c682cbcf</td>
+ <td class="checksum">bc7d51fdda43bea01e1272dfe9d23d0a9d6cd11c</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">b0cf8a64b1c244fcf2fa282d59ba34d7a57c3751 </td>
+ <td class="checksum">43a7e47c1fca0ed9ba79564bdcd2d7ba0cbfb905</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">a3216ef4bc804926c8be5dac07c32df5ab82d38a</td>
+ <td class="checksum">ff55b2161e22d4eb61f1d2294995b97295a2cb2d</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -146,17 +146,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">680acf88f0db978fbbeac89ed63776d805b918ef</td>
+ <td class="checksum">9596643a2728c55a4e54ff38608fde09b27fa494</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">2f3349d86149a8fcaa73904e57f7ecab0d071a74</td>
+ <td class="checksum">50d3004b57d714247158374694c9f06ba852e88a</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">1f95224bba59ff07307156c9531e0e988daddcce</td>
+ <td class="checksum">5a23082a998133be85efd0b5b81ef91d6b87fdd5</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</tr>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Thu Apr 28 14:59:38 2016
@@ -64,62 +64,62 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20151215-1">
-<h3>2015-12-15 — Apache Subversion 1.9.3 Released
- <a class="sectionlink" href="#news-20151215-1"
+<div class="h3" id="news-20160428-1">
+<h3>2016-04-28 — Apache Subversion 1.9.4 Released
+ <a class="sectionlink" href="#news-20160428-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.9.3.
+<p>We are pleased to announce the release of Apache Subversion 1.9.4.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/%3CCAP_GPNj_GCA869VQeJUrp5ngXsgN7pQQHSS=sqoXm8_6hHTTxg@mail.gmail.com%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/date"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.3/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.4/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#recommended-release">download page</a>.</p>
-</div> <!-- #news-20151215-1 -->
+</div> <!-- #news-20160428-1 -->
-<div class="h3" id="news-20151215-2">
-<h3>2015-12-15 — Apache Subversion 1.8.15 Released
- <a class="sectionlink" href="#news-20151215-2"
+<div class="h3" id="news-20160428-2">
+<h3>2016-04-28 — Apache Subversion 1.8.16 Released
+ <a class="sectionlink" href="#news-20160428-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.15.
+<p>We are pleased to announce the release of Apache Subversion 1.8.16.
This is the most complete Subversion 1.8 release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/%3CCAP_GPNieJGPDbf=nmbSdf+CTMZ=5pREoqwnDNvO80mfAKNaY7Q@mail.gmail.com%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/date"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.15/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.16/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#supported-releases">download page</a>.</p>
-</div> <!-- #news-20151215-2 -->
+</div> <!-- #news-20160428-2 -->
-<div class="h3" id="news-20150923">
-<h3>2015-09-23 — Apache Subversion 1.9.2 Released
- <a class="sectionlink" href="#news-20150923"
+<div class="h3" id="news-20151215-1">
+<h3>2015-12-15 — Apache Subversion 1.9.3 Released
+ <a class="sectionlink" href="#news-20151215-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.9.2.
+<p>We are pleased to announce the release of Apache Subversion 1.9.3.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201509.mbox/%3CCAP_GPNgyXK9ZGWZ4M2t1dWBSiKEuGbuiRVGw2AF3-MpUZ%3DTRQA%40mail.gmail.com%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201512.mbox/%3CCAP_GPNj_GCA869VQeJUrp5ngXsgN7pQQHSS=sqoXm8_6hHTTxg@mail.gmail.com%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.2/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.3/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download.cgi#recommended-release">download page</a>.</p>
-</div> <!-- #news-20150923 -->
+</div> <!-- #news-20151215-1 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Thu Apr 28 14:59:38 2016
@@ -22,6 +22,44 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20160428-1">
+<h3>2016-04-28 — Apache Subversion 1.9.4 Released
+ <a class="sectionlink" href="#news-20160428-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.9.4.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/date"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.4/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20160428-1 -->
+
+<div class="h3" id="news-20160428-2">
+<h3>2016-04-28 — Apache Subversion 1.8.16 Released
+ <a class="sectionlink" href="#news-20160428-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.16.
+ This is the most complete Subversion 1.8 release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/date"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.16/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20160428-2 -->
+
<div class="h3" id="news-20151215-1">
<h3>2015-12-15 — Apache Subversion 1.9.3 Released
<a class="sectionlink" href="#news-20151215-1"
Added: subversion/site/publish/security/CVE-2016-2167-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2016-2167-advisory.txt?rev=1741442&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2016-2167-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2016-2167-advisory.txt Thu Apr 28 14:59:38 2016
@@ -0,0 +1,147 @@
+ svnserve/sasl may authenticate users using the wrong realm
+
+Summary:
+========
+
+ svnserve, the svn:// protocol server, can optionally use the Cyrus
+ SASL library for authentication, integrity protection, and encryption.
+ Due to a programming oversight, authentication against Cyrus SASL
+ would permit the remote user to specify a realm string which is
+ a prefix of the expected realm string.
+
+Known vulnerable:
+=================
+
+ Subversion 1.9.0 to 1.9.3
+ Subversion 1.5.0 to 1.8.15
+
+ Only repositories served by svnserve using SASL are affected. For
+ a repository to be affected, both of the following must be true:
+
+ 1. The output of `svnserve --version` includes the line "Cyrus SASL
+ authentication is available".
+
+ 2. The svnserve.conf file includes "use-sasl = true" in the "[sasl]"
+ section.
+
+Known fixed:
+============
+
+ Subversion 1.9.4
+ Subversion 1.8.16
+
+ mod_dav_svn (any version) is not affected.
+
+ svnserve compiled without SASL support is not affected, regardless
+ of the contents of svnserve.conf files.
+
+ If the svnserve.conf file specifies 'use-sasl = false', or does not
+ specify 'use-sasl' at all, then the repository or svnserve instance
+ using that svnserve.conf file is not affected.
+
+Details:
+========
+
+ The Cyrus SASL authentication library provides a callback for
+ applications to "canonicalize" the username and realm provided by the
+ remote end. svnserve uses that callback to enforce that either the
+ remote end specified no realm, or it specified the repository's realm
+ (as declared in the svnserve.conf file).
+
+ Due to a programming oversight, if the remote end specified a realm
+ string which is a prefix of the expected realm string, the
+ remote-specified realm string would be used in the canonicalized
+ value. Consequently, a user who has valid credentials to a realm,
+ whose name is a prefix of the repository's realm, would be able to
+ successfully authenticate to the repository.
+
+ Such a user would still be subject to path-based authorization, if
+ enabled via the 'authz-db' or 'auth-access' svnserve.conf directives.
+
+ In theory, the erroneous realm comparison would also allow a remote
+ user to specify a realm string followed by an ASCII NUL byte and
+ possibly by more bytes thereafter. In practice, however, control flow
+ on such inputs does not reach the vulnerable code.
+
+ Examples:
+
+ 1. The user "jrandom" in the realm "foo" can successfully authenticate
+ to a repository whose realm is "foobar".
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 3.6
+ CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N
+
+ Since this vulnerability presupposes rare circumstances --- namely,
+ having a valid realm name which is a string prefix of the repository's
+ realm name --- few deployments will be affected.
+
+ For affected deployments, however, this is a medium-risk
+ information disclosure and modification vulnerability. The extent of
+ the information that may be accessed and modified by attackers depends
+ on the path-based authorization configuration in use (via the
+ 'authz-db' and 'auth-access' svnserve.conf directives).
+
+Recommendations:
+================
+
+ Affected servers should be upgraded to Subversion 1.8.16 or 1.9.4.
+
+ Workarounds include:
+
+ - Use path-based authorization to deny access to usernames from other
+ realms, so they would be able to authenticate but then would have
+ authorization to nothing.
+
+ - Change realm names such that no valid realm name is a prefix of the
+ repository's realm name.
+
+References:
+===========
+
+ CVE-2016-2167 (Subversion)
+
+Reported by:
+============
+
+ Daniel Shahaf, Apache Infrastructure
+ James McCoy, Debian
+
+Patches:
+========
+
+ Patch for Subversion 1.9.3:
+[[[
+Index: subversion/svnserve/cyrus_auth.c
+===================================================================
+--- subversion/svnserve/cyrus_auth.c (revision 1735379)
++++ subversion/svnserve/cyrus_auth.c (working copy)
+@@ -74,6 +74,8 @@ static int canonicalize_username(sasl_conn_t *conn
+ {
+ /* The only valid realm is user_realm (i.e. the repository's realm).
+ If the user gave us another realm, complain. */
++ if (realm_len != inlen-(pos-in+1))
++ return SASL_BADPROT;
+ if (strncmp(pos+1, user_realm, inlen-(pos-in+1)) != 0)
+ return SASL_BADPROT;
+ }
+]]]
+
+ Patch for Subversion 1.8.15:
+[[[
+Index: subversion/svnserve/cyrus_auth.c
+===================================================================
+--- subversion/svnserve/cyrus_auth.c (revision 1735379)
++++ subversion/svnserve/cyrus_auth.c (working copy)
+@@ -74,6 +74,8 @@ static int canonicalize_username(sasl_conn_t *conn
+ {
+ /* The only valid realm is user_realm (i.e. the repository's realm).
+ If the user gave us another realm, complain. */
++ if (realm_len != inlen-(pos-in+1))
++ return SASL_BADPROT;
+ if (strncmp(pos+1, user_realm, inlen-(pos-in+1)) != 0)
+ return SASL_BADPROT;
+ }
+]]]
Propchange: subversion/site/publish/security/CVE-2016-2167-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Added: subversion/site/publish/security/CVE-2016-2168-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2016-2168-advisory.txt?rev=1741442&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2016-2168-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2016-2168-advisory.txt Thu Apr 28 14:59:38 2016
@@ -0,0 +1,161 @@
+ Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE
+ authorization check.
+
+Summary:
+========
+
+ Subversion's httpd servers are vulnerable to a remotely triggerable crash
+ in the mod_authz_svn module. The crash can occur during an authorization
+ check for a COPY or MOVE request with a specially crafted header value.
+
+ This allows remote attackers to cause a denial of service.
+
+Known vulnerable:
+=================
+
+ Subversion httpd servers 1.0.0 to 1.8.15 (inclusive)
+ Subversion httpd servers 1.9.0 through 1.9.3 (inclusive)
+
+ Subversion svnserve servers (any version) are not vulnerable
+
+Known fixed:
+============
+
+ Subversion 1.8.16
+ Subversion 1.9.4
+
+Details:
+========
+
+ Subversion includes a separate server module, mod_authz_svn, which does
+ path-based authorization on Subversion repositories. Authorizing a COPY
+ or MOVE request requires additional checks for the destination of the
+ request. This additional logic contains a flaw that will cause a null
+ pointer dereference and a segmentation fault with certain invalid request
+ headers.
+
+ Exploiting this vulnerability requires the attacker to be authenticated
+ on the targeted server. Since the flaw is in the authorization module,
+ the attack does not require access to a particular repository.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 5.0
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
+
+ We consider this to be a medium risk vulnerability. In order to take
+ advantage of this attack the attacker would require to authenticate
+ against the targeted server. The attack does not require read access
+ to a particular repository. Servers which allow for anonymous reads
+ will be vulnerable without authentication.
+
+ A remote attacker may be able to crash a Subversion server. Many Apache
+ servers will respawn the listener processes, but a determined attacker
+ will be able to crash these processes as they appear, denying service to
+ legitimate users. Servers using threaded MPMs will close the connection
+ on other clients being served by the same process that services the
+ request from the attacker. In either case there is an increased
+ processing impact of restarting a process and the cost of per process
+ caches being lost.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.9.4. Users of
+ Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No workaround is available.
+
+References:
+===========
+
+ CVE-2016-2168 (Subversion)
+
+Reported by:
+============
+
+ Ivan Zhakov, VisualSVN
+
+Patches:
+========
+
+ Patch for Subversion 1.9.3:
+[[[
+Index: subversion/mod_authz_svn/mod_authz_svn.c
+===================================================================
+--- subversion/mod_authz_svn/mod_authz_svn.c (revision 1736295)
++++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
+@@ -639,6 +639,8 @@ req_check_access(request_rec *r,
+
+ if (r->method_number == M_MOVE || r->method_number == M_COPY)
+ {
++ apr_status_t status;
++
+ dest_uri = apr_table_get(r->headers_in, "Destination");
+
+ /* Decline MOVE or COPY when there is no Destination uri, this will
+@@ -647,7 +649,19 @@ req_check_access(request_rec *r,
+ if (!dest_uri)
+ return DECLINED;
+
+- apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ if (status)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
++ if (!parsed_dest_uri.path)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
+
+ ap_unescape_url(parsed_dest_uri.path);
+ dest_uri = parsed_dest_uri.path;
+]]]
+
+ Patch for Subversion 1.8.15:
+[[[
+Index: subversion/mod_authz_svn/mod_authz_svn.c
+===================================================================
+--- subversion/mod_authz_svn/mod_authz_svn.c (revision 1736295)
++++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
+@@ -628,6 +628,8 @@ req_check_access(request_rec *r,
+
+ if (r->method_number == M_MOVE || r->method_number == M_COPY)
+ {
++ apr_status_t status;
++
+ dest_uri = apr_table_get(r->headers_in, "Destination");
+
+ /* Decline MOVE or COPY when there is no Destination uri, this will
+@@ -636,7 +638,19 @@ req_check_access(request_rec *r,
+ if (!dest_uri)
+ return DECLINED;
+
+- apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ if (status)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
++ if (!parsed_dest_uri.path)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
+
+ ap_unescape_url(parsed_dest_uri.path);
+ dest_uri = parsed_dest_uri.path;
+]]]
Propchange: subversion/site/publish/security/CVE-2016-2168-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1741442&r1=1741441&r2=1741442&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Thu Apr 28 14:59:38 2016
@@ -252,10 +252,15 @@ should be hidden by path-based authz.</t
integer overflow in the svn:// protocol parser.</td>
</tr>
<tr>
-<td><a href="CVE-2015-5343-advisory.txt">CVE-2015-5343-advisory.txt</a></td>
-<td>1.7.0-1.8.14 and 1.9.0-1.9.2</td>
-<td>Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn
-caused by integer overflow when parsing skel-encoded request bodies.</td>
+<td><a href="CVE-2016-2167-advisory.txt">CVE-2016-2167-advisory.txt</a></td>
+<td>1.5.0-1.8.15 and 1.9.0-1.9.3</td>
+<td>svnserve/sasl may authenticate users using the wrong realm.</td>
+</tr>
+<tr>
+<td><a href="CVE-2016-2168-advisory.txt">CVE-2016-2168-advisory.txt</a></td>
+<td>1.0.0-1.8.15 and 1.9.0-1.9.3</td>
+<td>Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE
+authorization check.</td>
</tr>
</tbody>
</table>