You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Ben Reser <be...@reser.org> on 2004/07/19 23:23:04 UTC

Subversion 1.0.6 released. SECURITY FIX

Subversion 1.0.6 is ready. Grab it from:

  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz
  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2 

The MD5 checksums are:

  160c655194dff55f9fdd856110801d01  subversion-1.0.6.tar.gz
  bb05fe041fef7491b3555904d97f5e1c  subversion-1.0.6.tar.bz2

PGP Signatures are available at:
   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz.asc
   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2.asc

PGP Signatures will be made by the following person(s) for this release:
   Ben Reser [1024D/641E358B] with fingerprint:
   42F5 91FD E577 F545 FB40  8F6B 7241 856B 641E 358B


This is likely the last bugfix release in the 1.0.x line.  

Subversion versions up to and including 1.0.5 have a bug in
mod_authz_svn that allows users with write access to read
portions of the repository that they do not have read access
to.  Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
vulnerable to this issue.

Details:
========

mod_authz_svn would allow a user to copy portions of a repo to which
they did not have read permissions to portions that they did have 
read permissions on, thereby evading the read restrictions.

Severity:
=========

This is a low risk issue.  Only sites running mod_authz_svn (an
Apache module) that are trying to restrict some of their users
with write access to a repo from reading part of that repo are
vulnerable.

Most installations will not fall into this category.
Additionally, any attempt to use such a vulnerability will be
apparent as the copy will be versioned.  Plus, it's doubtful
any site would permit public write access to its repository
so this issue should not be accessible by unauthenticated users.

This vulnerability does not affect users running svnserve.

Workarounds:
============

* Disable DAV and use svnserve.

* Separate content into different repos.

* Disable the COPY method via Apache configuration.  Note this will
  disallow all copies.

Recommendations:
================

We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.


Questions, comments, and bug reports to users_at_subversion.tigris.org.

Thanks,
-The Subversion Team 

--------------------8-<-------cut-here---------8-<-----------------------

 User-visible-changes:
 * fixed: crash in status command, caused by race (r10144)
 * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
 * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
 * fixed: mod_authz_svn COPY security hole:  authorize whole tree (issue #1949)

 Developer-visible changes:
 * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by Scott Lawrence <sl...@pingtel.com>.

On Tue, 2004-07-20 at 08:52, François Beausoleil wrote:
> Hello Scott,
> 
> Scott Lawrence wrote:
> 
> > On Mon, 2004-07-19 at 19:23, Ben Reser wrote:
> > 
> >>Subversion 1.0.6 is ready.
> > 
> > 
> >> User-visible-changes:
> >> * fixed: crash in status command, caused by race (r10144) 
> > 
> > 
> > Can someone point me to more detail on this?  That doesn't seem to be an
> > issue tracker number...
> > 
> 
> $ svn log -r10144 http://svn.collab.net/repos/svn
> ------------------------------------------------------------------------
> r10144 | bliss | 2004-07-05 12:10:13 -0400 (Mon, 05 Jul 2004) | 6 lines
> 
> Fix a bug in get_dir_status that makes us call handle_dir_entry with a
> null entry pointer which makes it crash.
> 
> * subversion/libsvn_wc/status.c
>   (get_dir_status): Only call handle_dir_entry if the entry is versioned.
> 
> ------------------------------------------------------------------------
> 
> It's a convention to use an r prefix to identify revisions.  Hope that 
> helps !

Thanks, but what I was looking for was some indication of when, from a
users point of view, this happens.  

My server is running 1.0.4, and not using any of the other things that
appear to be important in 1.0.5|6, so I'm trying to determine whether or
not this is a reason to upgrade.   I expect to go to 1.1.x by the time
it's final, and would rather save the trouble of upgrading twice if this
isn't a problem we'll see.

-- 
  Scott Lawrence
  SIPfoundry server tools maintainer
  webmaster@sipfoundry.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by François Beausoleil <fb...@ftml.net>.

Hello Scott,

Scott Lawrence wrote:

> On Mon, 2004-07-19 at 19:23, Ben Reser wrote:
> 
>>Subversion 1.0.6 is ready.
> 
> 
>> User-visible-changes:
>> * fixed: crash in status command, caused by race (r10144) 
> 
> 
> Can someone point me to more detail on this?  That doesn't seem to be an
> issue tracker number...
> 

$ svn log -r10144 http://svn.collab.net/repos/svn
------------------------------------------------------------------------
r10144 | bliss | 2004-07-05 12:10:13 -0400 (Mon, 05 Jul 2004) | 6 lines

Fix a bug in get_dir_status that makes us call handle_dir_entry with a
null entry pointer which makes it crash.

* subversion/libsvn_wc/status.c
  (get_dir_status): Only call handle_dir_entry if the entry is versioned.

------------------------------------------------------------------------

It's a convention to use an r prefix to identify revisions.  Hope that 
helps !

François



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by Scott Lawrence <sl...@pingtel.com>.

On Mon, 2004-07-19 at 19:23, Ben Reser wrote:
> Subversion 1.0.6 is ready.

>  User-visible-changes:
>  * fixed: crash in status command, caused by race (r10144) 

Can someone point me to more detail on this?  That doesn't seem to be an
issue tracker number...

-- 
Scott Lawrence
Consulting Engineer
Pingtel Corp.   
sip:slawrence@pingtel.com
+1.781.938.5306 x162


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by "Jostein Chr. Andersen" <jo...@josander.net>.

The Windows Installer made from */svn-win32-1.0.6.zip is here:

  http://subversion.tigris.org/files/documents/15/14958/svn-1.0.6-setup.exe

Jostein



-- 
http://www.josander.net/en/contact/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by "Jostein Chr. Andersen" <jo...@josander.net>.

The Windows Installer made from */svn-win32-1.0.6.zip is here:

  http://subversion.tigris.org/files/documents/15/14958/svn-1.0.6-setup.exe

Jostein



-- 
http://www.josander.net/en/contact/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by Branko Čibej <br...@xbc.nu>.

The Win32 build is now available:

  http://subversion.tigris.org/files/documents/15/14889/svn-win32-1.0.6.zip
  http://subversion.tigris.org/files/documents/15/14892/svn-win32-1.0.6_dev.zip
  http://subversion.tigris.org/files/documents/15/14890/svn-win32-1.0.6_pdb.7z
  http://subversion.tigris.org/files/documents/15/14891/svn-win32-1.0.6_py.zip


The MD5 checksums are:

  fb939ca8d5cafbc639ce487595c675d4  svn-win32-1.0.6.zip
  997efa970e5b02250a4b6c4852575f81  svn-win32-1.0.6_dev.zip
  cc401aa82ba7379809c98445247c1e7c  svn-win32-1.0.6_pdb.7z
  0f1daf28b5862c128f0e1e0577ef67d8  svn-win32-1.0.6_py.zip


The binaries with the workaround for the ASP.NET bug are in at

  http://www.xbc.nu/svn/


Note: The PDB files are now in a 7-zip archive, because that's four 
times smaller than a ZIP archive.


Ben Reser wrote:

>Subversion 1.0.6 is ready. Grab it from:
>
>  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz
>  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2 
>
>The MD5 checksums are:
>
>  160c655194dff55f9fdd856110801d01  subversion-1.0.6.tar.gz
>  bb05fe041fef7491b3555904d97f5e1c  subversion-1.0.6.tar.bz2
>
>PGP Signatures are available at:
>   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz.asc
>   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2.asc
>
>PGP Signatures will be made by the following person(s) for this release:
>   Ben Reser [1024D/641E358B] with fingerprint:
>   42F5 91FD E577 F545 FB40  8F6B 7241 856B 641E 358B
>
>
>This is likely the last bugfix release in the 1.0.x line.  
>
>Subversion versions up to and including 1.0.5 have a bug in
>mod_authz_svn that allows users with write access to read
>portions of the repository that they do not have read access
>to.  Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
>vulnerable to this issue.
>
>Details:
>========
>
>mod_authz_svn would allow a user to copy portions of a repo to which
>they did not have read permissions to portions that they did have 
>read permissions on, thereby evading the read restrictions.
>
>Severity:
>=========
>
>This is a low risk issue.  Only sites running mod_authz_svn (an
>Apache module) that are trying to restrict some of their users
>with write access to a repo from reading part of that repo are
>vulnerable.
>
>Most installations will not fall into this category.
>Additionally, any attempt to use such a vulnerability will be
>apparent as the copy will be versioned.  Plus, it's doubtful
>any site would permit public write access to its repository
>so this issue should not be accessible by unauthenticated users.
>
>This vulnerability does not affect users running svnserve.
>
>Workarounds:
>============
>
>* Disable DAV and use svnserve.
>
>* Separate content into different repos.
>
>* Disable the COPY method via Apache configuration.  Note this will
>  disallow all copies.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.
>
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team 
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: crash in status command, caused by race (r10144)
> * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
> * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
> * fixed: mod_authz_svn COPY security hole:  authorize whole tree (issue #1949)
>
> Developer-visible changes:
> * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)
>  
>
-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Subversion 1.0.6 released. SECURITY FIX

Posted by Branko Čibej <br...@xbc.nu>.

The Win32 build is now available:

  http://subversion.tigris.org/files/documents/15/14889/svn-win32-1.0.6.zip
  http://subversion.tigris.org/files/documents/15/14892/svn-win32-1.0.6_dev.zip
  http://subversion.tigris.org/files/documents/15/14890/svn-win32-1.0.6_pdb.7z
  http://subversion.tigris.org/files/documents/15/14891/svn-win32-1.0.6_py.zip


The MD5 checksums are:

  fb939ca8d5cafbc639ce487595c675d4  svn-win32-1.0.6.zip
  997efa970e5b02250a4b6c4852575f81  svn-win32-1.0.6_dev.zip
  cc401aa82ba7379809c98445247c1e7c  svn-win32-1.0.6_pdb.7z
  0f1daf28b5862c128f0e1e0577ef67d8  svn-win32-1.0.6_py.zip


The binaries with the workaround for the ASP.NET bug are in at

  http://www.xbc.nu/svn/


Note: The PDB files are now in a 7-zip archive, because that's four 
times smaller than a ZIP archive.


Ben Reser wrote:

>Subversion 1.0.6 is ready. Grab it from:
>
>  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz
>  http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2 
>
>The MD5 checksums are:
>
>  160c655194dff55f9fdd856110801d01  subversion-1.0.6.tar.gz
>  bb05fe041fef7491b3555904d97f5e1c  subversion-1.0.6.tar.bz2
>
>PGP Signatures are available at:
>   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.gz.asc
>   http://subversion.tigris.org/tarballs/subversion-1.0.6.tar.bz2.asc
>
>PGP Signatures will be made by the following person(s) for this release:
>   Ben Reser [1024D/641E358B] with fingerprint:
>   42F5 91FD E577 F545 FB40  8F6B 7241 856B 641E 358B
>
>
>This is likely the last bugfix release in the 1.0.x line.  
>
>Subversion versions up to and including 1.0.5 have a bug in
>mod_authz_svn that allows users with write access to read
>portions of the repository that they do not have read access
>to.  Subversion 1.0.6 and newer (including 1.1.0-rc1) are not
>vulnerable to this issue.
>
>Details:
>========
>
>mod_authz_svn would allow a user to copy portions of a repo to which
>they did not have read permissions to portions that they did have 
>read permissions on, thereby evading the read restrictions.
>
>Severity:
>=========
>
>This is a low risk issue.  Only sites running mod_authz_svn (an
>Apache module) that are trying to restrict some of their users
>with write access to a repo from reading part of that repo are
>vulnerable.
>
>Most installations will not fall into this category.
>Additionally, any attempt to use such a vulnerability will be
>apparent as the copy will be versioned.  Plus, it's doubtful
>any site would permit public write access to its repository
>so this issue should not be accessible by unauthenticated users.
>
>This vulnerability does not affect users running svnserve.
>
>Workarounds:
>============
>
>* Disable DAV and use svnserve.
>
>* Separate content into different repos.
>
>* Disable the COPY method via Apache configuration.  Note this will
>  disallow all copies.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.6 or 1.1.0-rc1.
>
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team 
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: crash in status command, caused by race (r10144)
> * fixed: crashes when deleting a revision-prop (r10148, r10185, r10192)
> * fixed: mod_authz_svn allows COPY method on repos with space in name (#1837)
> * fixed: mod_authz_svn COPY security hole:  authorize whole tree (issue #1949)
>
> Developer-visible changes:
> * neon 0.24.7 now required (fixes wire compression bugs) (r10159, 10176)
>  
>
-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Re: Subversion 1.0.6 released. *SECURITY FIX*

Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX

Re: Subversion 1.0.6 released. SECURITY FIX