You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Ben Reser <br...@apache.org> on 2013/08/30 17:34:34 UTC

Apache Subversion 1.7.13 released

I'm happy to announce the release of Apache Subversion 1.7.13.

Please note that Subversion 1.7.13 is the next release after Subversion 1.7.11.
The 1.7.12 release was not published publicly, due to issues found
during testing.

Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download/#recommended-release

This release addresses one security issue:
    CVE-2013-4246: svnserve: symlink attack against pid file

More information on this vulnerability, including the relevant
advisory and potential attack vectors and workarounds, can be found
on the Subversion security website:
    http://subversion.apache.org/security/

This release changes mod_dav_svn to no longer map requests to the local
filesystem.  Administrators of mod_dav_svn servers should read the
section about this in the release notes:
    http://subversion.apache.org/docs/release-notes/1.7.html#mod_dav_svn-fsmap

The SHA1 checksums are:

    3dad15f19dd43477cc48174a0284e792e32b7a97 subversion-1.7.13.zip
    9fa8d49a18e58403ce5b855e65f748ddd86bba09 subversion-1.7.13.tar.gz
    844bb756ec505edaa12b9610832bcd21567139f1 subversion-1.7.13.tar.bz2

PGP Signatures are available at:

    http://www.apache.org/dist/subversion/subversion-1.7.13.tar.bz2.asc
    http://www.apache.org/dist/subversion/subversion-1.7.13.tar.gz.asc
    http://www.apache.org/dist/subversion/subversion-1.7.13.zip.asc

For this release, the following people have provided PGP signatures:

   Ben Reser [4096R/16A0DE01] with fingerprint:
    19BB CAEF 7B19 B280 A0E2  175E 62D4 8FAD 16A0 DE01
   Ivan Zhakov [4096R/F6AD8147] with fingerprint:
    4829 8F0F E47F 4B8A 43FD  6525 919F 6F61 F6AD 8147
   Johan Corveleyn [4096R/010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Julian Foad [4096R/4EECC493] with fingerprint:
    6011 63CF 9D49 9FD7 18CF  582D 1FB0 64B8 4EEC C493
   Paul T. Burba [4096R/56F3D7BC] with fingerprint:
    1A0F E7C6 B3C5 F8D4 D0C4  A20B 64DD C071 56F3 D7BC
   Philip Martin [2048R/ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C

Release notes for the 1.7.x release series may be found at:

    http://subversion.apache.org/docs/release-notes/1.7.html

You can find the list of changes between 1.7.13 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team

Re: Apache Subversion 1.7.13 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.7.13.
> 
> Please note that Subversion 1.7.13 is the next release after Subversion 1.7.11.
> The 1.7.12 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses one security issue:
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on this vulnerability, including the relevant
> advisory and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was incorrectly used in this announcement.  The correct list of
security issues follows:
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.7.13 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.7.13.
> 
> Please note that Subversion 1.7.13 is the next release after Subversion 1.7.11.
> The 1.7.12 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses one security issue:
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on this vulnerability, including the relevant
> advisory and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was incorrectly used in this announcement.  The correct list of
security issues follows:
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.7.13 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.7.13.
> 
> Please note that Subversion 1.7.13 is the next release after Subversion 1.7.11.
> The 1.7.12 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses one security issue:
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on this vulnerability, including the relevant
> advisory and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was incorrectly used in this announcement.  The correct list of
security issues follows:
     CVE-2013-4277: svnserve: symlink attack against pid file

Re: Apache Subversion 1.7.13 released

Posted by Ben Reser <br...@apache.org>.

On 8/30/13 8:34 AM, Ben Reser wrote:
> I'm happy to announce the release of Apache Subversion 1.7.13.
> 
> Please note that Subversion 1.7.13 is the next release after Subversion 1.7.11.
> The 1.7.12 release was not published publicly, due to issues found
> during testing.
> 
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download/#recommended-release
> 
> This release addresses one security issue:
>     CVE-2013-4246: svnserve: symlink attack against pid file
> 
> More information on this vulnerability, including the relevant
> advisory and potential attack vectors and workarounds, can be found
> on the Subversion security website:
>     http://subversion.apache.org/security/

CVE-2013-4246 was incorrectly used in this announcement.  The correct list of
security issues follows:
     CVE-2013-4277: svnserve: symlink attack against pid file