You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Ben Reser <br...@apache.org> on 2013/08/30 17:34:21 UTC

Apache Subversion 1.8.3 released

I'm happy to announce the release of Apache Subversion 1.8.3.

Please note that Subversion 1.8.3 is the next release after Subversion 1.8.1.
The 1.8.2 release was not published publicly, due to issues found
during testing.

Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download/#recommended-release

This release addresses three security issues:
    CVE-2013-4246: fsfs: corruption from editing packed revision properties
    CVE-2013-4262: admin-side tools: symlink attack against pid file
    CVE-2013-4246: svnserve: symlink attack against pid file

More information on these vulnerabilities, including the relevant
advisories and potential attack vectors and workarounds, can be found
on the Subversion security website:
    http://subversion.apache.org/security/

This release changes mod_dav_svn to no longer map requests to the local
filesystem.  Administrators of mod_dav_svn servers should read the
section about this in the release notes:
    http://subversion.apache.org/docs/release-notes/1.8.html#mod_dav_svn-fsmap

The SHA1 checksums are:

    e328e9f1c57f7c78bea4c3af869ec5d4503580cf subversion-1.8.3.tar.bz2
    f004934ef6ed8ee4ede1202e0734098350d80812 subversion-1.8.3.zip
    4bc7cceb0d16a09ba839a53435f5671d40867d44 subversion-1.8.3.tar.gz

PGP Signatures are available at:

    http://www.apache.org/dist/subversion/subversion-1.8.3.tar.bz2.asc
    http://www.apache.org/dist/subversion/subversion-1.8.3.tar.gz.asc
    http://www.apache.org/dist/subversion/subversion-1.8.3.zip.asc

For this release, the following people have provided PGP signatures:

   Ben Reser [4096R/16A0DE01] with fingerprint:
    19BB CAEF 7B19 B280 A0E2  175E 62D4 8FAD 16A0 DE01
   Bert Huijben [4096R/CCC8E1DF] with fingerprint:
    3D1D C66D 6D2E 0B90 3952  8138 C4A6 C625 CCC8 E1DF
   Ivan Zhakov [4096R/F6AD8147] with fingerprint:
    4829 8F0F E47F 4B8A 43FD  6525 919F 6F61 F6AD 8147
   Julian Foad [4096R/4EECC493] with fingerprint:
    6011 63CF 9D49 9FD7 18CF  582D 1FB0 64B8 4EEC C493
   Paul T. Burba [4096R/56F3D7BC] with fingerprint:
    1A0F E7C6 B3C5 F8D4 D0C4  A20B 64DD C071 56F3 D7BC
   Philip Martin [2048R/ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C

Release notes for the 1.8.x release series may be found at:

    http://subversion.apache.org/docs/release-notes/1.8.html

You can find the list of changes between 1.8.3 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team

Re: Apache Subversion 1.8.3 released

Posted by Nico Kadel-Garcia <nk...@gmail.com>.

Consonant with the Subversion 1.8.3 and 1.7.13 releases, I've updated my
github published packages for building them locally on RHEL 6.x. They're at:

           https://github.com/nkadel/subversion-1.7.x-srpm
           https://github.com/nkadel/subverison-1.8.x-srpm

They're tested and running on some CentOS and Scientific Linux environments
I use, with updated versions of get-deps.sh in the git repository and some
Fedora 19 patches applied for consistency with RHEL environments. For those
of you who need these up to date versions RHEL 6, enjoy!


On Fri, Aug 30, 2013 at 11:58 AM, Ben Reser <br...@apache.org> wrote:

> On 8/30/13 8:34 AM, Ben Reser wrote:
> > I'm happy to announce the release of Apache Subversion 1.8.3.
> >
> > Please note that Subversion 1.8.3 is the next release after Subversion
> 1.8.1.
> > The 1.8.2 release was not published publicly, due to issues found
> > during testing.
> >
> > Please choose the mirror closest to you by visiting:
> >
> >     http://subversion.apache.org/download/#recommended-release
> >
> > This release addresses three security issues:
> >     CVE-2013-4246: fsfs: corruption from editing packed revision
> properties
> >     CVE-2013-4262: admin-side tools: symlink attack against pid file
> >     CVE-2013-4246: svnserve: symlink attack against pid file
> >
> > More information on these vulnerabilities, including the relevant
> > advisories and potential attack vectors and workarounds, can be found
> > on the Subversion security website:
> >     http://subversion.apache.org/security/
>
> CVE-2013-4246 was inadvertantly used twice in this announcement.  The
> corrent
> list of security issues follows:
>      CVE-2013-4246: fsfs: corruption from editing packed revision
> properties
>      CVE-2013-4262: admin-side tools: symlink attack against pid file
>      CVE-2013-4277: svnserve: symlink attack against pid file
>
>
>

Re: Apache Subversion 1.8.3 released

Posted by Nico Kadel-Garcia <nk...@gmail.com>.

Consonant with the Subversion 1.8.3 and 1.7.13 releases, I've updated my
github published packages for building them locally on RHEL 6.x. They're at:

           https://github.com/nkadel/subversion-1.7.x-srpm
           https://github.com/nkadel/subverison-1.8.x-srpm

They're tested and running on some CentOS and Scientific Linux environments
I use, with updated versions of get-deps.sh in the git repository and some
Fedora 19 patches applied for consistency with RHEL environments. For those
of you who need these up to date versions RHEL 6, enjoy!


On Fri, Aug 30, 2013 at 11:58 AM, Ben Reser <br...@apache.org> wrote:

> On 8/30/13 8:34 AM, Ben Reser wrote:
> > I'm happy to announce the release of Apache Subversion 1.8.3.
> >
> > Please note that Subversion 1.8.3 is the next release after Subversion
> 1.8.1.
> > The 1.8.2 release was not published publicly, due to issues found
> > during testing.
> >
> > Please choose the mirror closest to you by visiting:
> >
> >     http://subversion.apache.org/download/#recommended-release
> >
> > This release addresses three security issues:
> >     CVE-2013-4246: fsfs: corruption from editing packed revision
> properties
> >     CVE-2013-4262: admin-side tools: symlink attack against pid file
> >     CVE-2013-4246: svnserve: symlink attack against pid file
> >
> > More information on these vulnerabilities, including the relevant
> > advisories and potential attack vectors and workarounds, can be found
> > on the Subversion security website:
> >     http://subversion.apache.org/security/
>
> CVE-2013-4246 was inadvertantly used twice in this announcement.  The
> corrent
> list of security issues follows:
>      CVE-2013-4246: fsfs: corruption from editing packed revision
> properties
>      CVE-2013-4262: admin-side tools: symlink attack against pid file
>      CVE-2013-4277: svnserve: symlink attack against pid file
>
>
>

Re: Apache Subversion 1.8.3 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.8.3.
> 
> Please note that Subversion 1.8.3 is the next release after Subversion 1.8.1.
> The 1.8.2 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses three security issues:
>     CVE-2013-4246: fsfs: corruption from editing packed revision properties
>     CVE-2013-4262: admin-side tools: symlink attack against pid file
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on these vulnerabilities, including the relevant
> advisories and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was inadvertantly used twice in this announcement.  The corrent
list of security issues follows:
     CVE-2013-4246: fsfs: corruption from editing packed revision properties
     CVE-2013-4262: admin-side tools: symlink attack against pid file
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.8.3 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.8.3.
> 
> Please note that Subversion 1.8.3 is the next release after Subversion 1.8.1.
> The 1.8.2 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses three security issues:
>     CVE-2013-4246: fsfs: corruption from editing packed revision properties
>     CVE-2013-4262: admin-side tools: symlink attack against pid file
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on these vulnerabilities, including the relevant
> advisories and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was inadvertantly used twice in this announcement.  The corrent
list of security issues follows:
     CVE-2013-4246: fsfs: corruption from editing packed revision properties
     CVE-2013-4262: admin-side tools: symlink attack against pid file
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.8.3 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.8.3.
> 
> Please note that Subversion 1.8.3 is the next release after Subversion 1.8.1.
> The 1.8.2 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses three security issues:
>     CVE-2013-4246: fsfs: corruption from editing packed revision properties
>     CVE-2013-4262: admin-side tools: symlink attack against pid file
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on these vulnerabilities, including the relevant
> advisories and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was inadvertantly used twice in this announcement.  The corrent
list of security issues follows:
     CVE-2013-4246: fsfs: corruption from editing packed revision properties
     CVE-2013-4262: admin-side tools: symlink attack against pid file
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.8.3 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.8.3.
> 
> Please note that Subversion 1.8.3 is the next release after Subversion 1.8.1.
> The 1.8.2 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses three security issues:
>     CVE-2013-4246: fsfs: corruption from editing packed revision properties
>     CVE-2013-4262: admin-side tools: symlink attack against pid file
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on these vulnerabilities, including the relevant
> advisories and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was inadvertantly used twice in this announcement.  The corrent
list of security issues follows:
     CVE-2013-4246: fsfs: corruption from editing packed revision properties
     CVE-2013-4262: admin-side tools: symlink attack against pid file
     CVE-2013-4277: svnserve: symlink attack against pid file