You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2013/07/24 19:02:33 UTC
svn commit: r1506629 - in /subversion/site/publish: doap.rdf
docs/release-notes/release-history.html download/download.html index.html
news.html security/CVE-2013-4131-advisory.txt security/index.html
Author: breser
Date: Wed Jul 24 17:02:33 2013
New Revision: 1506629
URL: http://svn.apache.org/r1506629
Log:
Update site for 1.7.11 and 1.8.1
Added:
subversion/site/publish/security/CVE-2013-4131-advisory.txt
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
Binary files - no diff available.
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Wed Jul 24 17:02:33 2013
@@ -31,8 +31,13 @@ Subversion 2.0.</p>
<ul>
<li>
- <b>Subversion 1.8.0</b> (Tuesday, 18 June 2013): Feature and bugfix release, see the <a href="/docs/release-notes/1.8.html">release notes</a>.
+ <b>Subversion 1.8.1</b> (Wednesday, 24 July 2013): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.7.11</b> (Wednesday, 24 July 2013): Bugfix/security release.
</li>
+ <li>
+ <b>Subversion 1.8.0</b> (Tuesday, 18 June 2013): Feature and bugfix release, see the <a href="/docs/release-notes/1.8.html">release notes</a>.
</li>
<li>
<b>Subversion 1.7.10</b> (Friday, 31 May 2013): Bugfix/security release.
Modified: subversion/site/publish/download/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.html?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
--- subversion/site/publish/download/download.html (original)
+++ subversion/site/publish/download/download.html Wed Jul 24 17:02:33 2013
@@ -1,7 +1,7 @@
<h1>Download Source Code</h1>
-[define version]1.8.0[end]
-[define supported]1.7.10[end]
+[define version]1.8.1[end]
+[define supported]1.7.11[end]
<!-- [define prerelease]1.8.0-rc3[end] -->
<div class="bigpoint">
@@ -91,17 +91,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">45d227511507c5ed99e07f9d42677362c18b364c</td>
+ <td class="checksum">7705819a0037c14fb32eef36f2e57a803217c689</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">01c4eed9f019baa14e94b83031f79c3a153a7602</td>
+ <td class="checksum">2abad4b9db4e236890d687f24b8dee7bee52cc2a</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">6f2b4476b8d8b9f2700ae101252bdf6e67366302</td>
+ <td class="checksum">12261a97df5cdc53175cba813ea451937a226bca</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -131,17 +131,17 @@ Other mirrors:
<th>Signatures</th>
</tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">a4f3de0a13b034b0eab4d35512c6c91a4abcf4f5</td>
+ <td class="checksum">d82e187803043b74c072cd5a861ac02e4a027684</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">3c7b9e7e1842d54f658477db325d5859f26a40a5</td>
+ <td class="checksum">e57f89818af67a7d6e1707f3612736bbe8ba4f0d</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">e19bfee30a7b88c238c554558ed0074b2c03218d</td>
+ <td class="checksum">e7b29fd29b757906e6a88274455d24ea7e326d29</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Wed Jul 24 17:02:33 2013
@@ -64,92 +64,64 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20130618">
-<h3>2013-06-18 — Apache Subversion 1.8.0 Released
- <a class="sectionlink" href="#news-20130618"
+<div class="h3" id="news-20130724-2">
+<h3>2013-07-24 — Apache Subversion 1.8.1 Released
+ <a class="sectionlink" href="#news-20130724-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.0.
+<p>We are pleased to announce the release of Apache Subversion 1.8.1.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/www-announce/201306.mbox/%3C51C04CAA.1060600%40apache.org%3E"
- >release announcement</a>, the
- <a href="/docs/release-notes/1.8.html">release notes</a>, and
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.0/CHANGES"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201307.mbox/%3CCADkdwvS4Ay7Fxivu8D2JPf84Hgh-8gKijC9PDw=YPg6w0gTC2w@mail.gmail.com%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.1/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download/#recommended-release">download page</a>.</p>
-</div> <!-- #news-20130618 -->
+</div> <!-- #news-20130724-2 -->
-<div class="h3" id="news-20130612">
-<h3>2013-06-12 — Apache Subversion 1.8.0-rc3 Released
- <a class="sectionlink" href="#news-20130612"
+<div class="h3" id="news-20130724-1">
+<h3>2013-07-24 — Subversion 1.7.11 Released
+ <a class="sectionlink" href="#news-20130724-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.0-rc3. This
- is the second public release candidate of Subversion 1.8.0 (rc1 was not publicly
- released). It is thought to be free of blocking issues, and if none are found
- will become the final release. For this reason, we encourage thorough testing
- in as many environments as possible. This release candidate puts us in the
- last week of the four-week "soak" period to allow for further testing, and
- barring show-stopping bugs, the final 1.8.0 release can be expected on or near
- June 18th.</p>
-
- <p>Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201306.mbox/%3CCADkdwvQ6eyCU2W55X2+2XFP2Lnp6fGDgYO3GY3VR07bymxujbw@mail.gmail.com%3E"
- >release
- announcement</a> for more information about this release, and the
- <a href="/docs/release-notes/1.8.html">release notes</a> and
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.0-rc3/CHANGES">
- change log</a> for information about the 1.8.0 release.</p>
-
-<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#pre-releases">download page</a>.</p>
+<p>We are pleased to announce the release of Subversion 1.7.11.
+ This is the most complete Subversion release in the 1.7 series to date,
+ and we encourage users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201307.mbox/%3CCADkdwvSm90t=jVxr1syE0KouUE1UA5_Z4ApVtLcT9pRFh8MLSw@mail.gmail.com%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.11/CHANGES"
+ >change log</a> for more information about this release.</p>
-</div> <!-- #news-20130612 -->
+<p>To get this release please visit our
+ <a href="/download/#supported-releases">download page</a>.</p>
-<div class="h3" id="news-20130531-2">
-<h3>2013-05-31 — Apache Subversion 1.7.10 Released
- <a class="sectionlink" href="#news-20130531-2"
+</div> <!-- #news-20130724-1 -->
+
+<div class="h3" id="news-20130618">
+<h3>2013-06-18 — Apache Subversion 1.8.0 Released
+ <a class="sectionlink" href="#news-20130618"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.7.10.
+<p>We are pleased to announce the release of Apache Subversion 1.8.0.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201305.mbox/%3CCADkdwvRK51pQsybfvsAzjxQJrmVpL0fEa1K4WGkUP9Tzz6KFDw@mail.gmail.com%3E"
- >release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.10/CHANGES"
+ <a href="http://mail-archives.apache.org/mod_mbox/www-announce/201306.mbox/%3C51C04CAA.1060600%40apache.org%3E"
+ >release announcement</a>, the
+ <a href="/docs/release-notes/1.8.html">release notes</a>, and
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.0/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download/#recommended-release">download page</a>.</p>
-</div> <!-- #news-20130531-2 -->
-
-<div class="h3" id="news-20130531-1">
-<h3>2013-05-31 — Subversion 1.6.23 Released
- <a class="sectionlink" href="#news-20130531-1"
- title="Link to this section">¶</a>
-</h3>
-
-<p>We are pleased to announce the release of Subversion 1.6.23.
- This is the most complete Subversion release in the 1.6 series to date,
- and we encourage users of Subversion to upgrade as soon as reasonable.
- Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201305.mbox/%3CCADkdwvTxsMFeHgc8bK2V-2PrSrKoBffTi8+xbHA5tocrrewWew@mail.gmail.com%3E"
- >release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.6.23/CHANGES"
- >change log</a> for more information about this release.</p>
-
-<p>To get this release please visit our
- <a href="/download/#supported-releases">download page</a>.</p>
-
-</div> <!-- #news-20130531-1 -->
+</div> <!-- #news-20130618 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Wed Jul 24 17:02:33 2013
@@ -22,6 +22,45 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20130724-2">
+<h3>2013-07-24 — Apache Subversion 1.8.1 Released
+ <a class="sectionlink" href="#news-20130724-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.1.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201307.mbox/%3CCADkdwvS4Ay7Fxivu8D2JPf84Hgh-8gKijC9PDw=YPg6w0gTC2w@mail.gmail.com%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.1/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20130724-2 -->
+
+<div class="h3" id="news-20130724-1">
+<h3>2013-07-24 — Subversion 1.7.11 Released
+ <a class="sectionlink" href="#news-20130724-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Subversion 1.7.11.
+ This is the most complete Subversion release in the 1.7 series to date,
+ and we encourage users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201307.mbox/%3CCADkdwvSm90t=jVxr1syE0KouUE1UA5_Z4ApVtLcT9pRFh8MLSw@mail.gmail.com%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.11/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release please visit our
+ <a href="/download/#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20130724-1 -->
+
<div class="h3" id="news-20130618">
<h3>2013-06-18 — Apache Subversion 1.8.0 Released
<a class="sectionlink" href="#news-20130618"
Added: subversion/site/publish/security/CVE-2013-4131-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-4131-advisory.txt?rev=1506629&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-4131-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-4131-advisory.txt Wed Jul 24 17:02:33 2013
@@ -0,0 +1,153 @@
+ Subversion HTTP servers up to 1.8.0 (inclusive) are vulnerable
+ to a remotely triggerable "Assertion failed" DoS vulnerability or read
+ overflow.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion
+ on some requests made against a revision root. This can lead to a DoS.
+ If assertions are disabled it will trigger a read overflow which may cause a
+ SEGFAULT (or equivalent) or undefined behavior.
+
+ Commit access is required to exploit this.
+
+Known vulnerable:
+=================
+
+ Subversion HTTPD servers 1.7.0 through 1.7.10 (inclusive).
+ Subversion HTTPD servers 1.8.0 (including 1.8.0 release candidates).
+
+Known fixed:
+============
+
+ Subversion 1.8.1
+ Subversion 1.7.11
+ svnserve (any version) is not vulnerable.
+ Subversion 1.6.x is not vulnerable.
+
+Details:
+========
+
+ The vulnerability can be triggered in two ways. The first way requires
+ that the Subversion server runs Apache HTTPD 2.2.25 or later or Apache HTTPD
+ 2.4.5 or later. When running under those versions of Apache HTTPD, the
+ vulnerability can be triggered by making a COPY request against a revision
+ root. The following Subversion operation generates such a request:
+ % svn cp -mm ^/ ^/foo
+
+ With any version of Apache HTTPD, the vulnerability may be triggered by
+ making a DELETE HTTP request against a revision root, a MOVE HTTP request
+ whose source or destination is a revision root, or a COPY HTTP request whose
+ destination is a revision root. These requests are not part of any valid
+ Subversion operation.
+
+ Making a copy of the repository root is a valid Subversion operation.
+ However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being
+ exercised for a revision root that was never before executed for a revision
+ root. That code performs a hand-rolled path arithmetic instead of using the
+ internal path manipulation library, and thus passes an invalid path down to
+ a library function which runs an assert() validation on that path.
+
+ When assertions are enabled, the validation fails and kills the httpd
+ process. When assertions are disabled, code would read beyond allocated
+ memory, which may lead to a segfault or undefined behavior.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 4
+ CVSSv2 Base Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
+
+ How bad the impact of that is varies based upon several environmental
+ configuration details. Specifically whether assertions were enabled at
+ build time and what MPM mode Apache httpd is using.
+
+ When assertions are enabled (defaults to on for *nix systems and off for
+ Windows) then the assertion will prevent any undefined behavior, at the cost
+ of a causing the http server process to abort. Apache httpd servers using a
+ prefork MPM will simply start a new process to replace the process that
+ died. Servers using threaded MPMs may be processing other requests in the
+ same process as the process that the attack causes to die. In either case
+ there is an increased processing impact of restarting a process and the cost
+ of per process caches being lost.
+
+ When assertions are disabled a read overflow will occur. This may cause a
+ segfault. However, it may also simply read into other memory that was
+ allocated and as a result the precise behavior of Subversion is partially
+ undefined. Subversion may accept or reject the request when it should not
+ do so based on locks, "If:" http headers or ETags. We have not found any
+ cases where the contents of the memory that has been read into will be
+ leaked to the client or into the repository.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11.
+ Users who are unable to upgrade may apply the included patches.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for
+ repositories served by HTTPD) due to an independent security issue fixed
+ in that HTTPD release: CVE-2013-1896. See <http://s.apache.org/H1a> for
+ details about CVE-2013-1896, including a recommendation for those who serve
+ Subversion repositories with Apache HTTPD 2.4.x.
+
+References:
+===========
+
+ CVE-2013-4131 (Subversion)
+
+Reported by:
+============
+
+ Daniel Shahaf, Apache Infrastructure
+
+Patches:
+========
+
+Patch for Subversion 1.7.x and 1.8.0:
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c (revision 1503527)
++++ subversion/mod_dav_svn/repos.c (revision 1503528)
+@@ -2408,21 +2408,12 @@
+ svn_boolean_t is_urlpath,
+ apr_pool_t *pool)
+ {
+- apr_size_t len;
+- char *tmp = apr_pstrdup(pool, path);
+-
+- len = strlen(tmp);
+-
+- if (len > 0)
++ if (*path != '\0') /* not an empty string */
+ {
+- /* Remove any trailing slash; else svn_path_dirname() asserts. */
+- if (tmp[len-1] == '/')
+- tmp[len-1] = '\0';
+-
+ if (is_urlpath)
+- return svn_urlpath__dirname(tmp, pool);
++ return svn_urlpath__dirname(path, pool);
+ else
+- return svn_fspath__dirname(tmp, pool);
++ return svn_fspath__dirname(path, pool);
+ }
+
+ return path;
+@@ -2458,7 +2449,9 @@
+ parent->versioned = 1;
+ parent->hooks = resource->hooks;
+ parent->pool = resource->pool;
+- parent->uri = get_parent_path(resource->uri, TRUE, resource->pool);
++ parent->uri = get_parent_path(svn_urlpath__canonicalize(resource->uri,
++ resource->pool),
++ TRUE, resource->pool);
+ parent->info = parentinfo;
+
+ parentinfo->uri_path =
+]]]
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1506629&r1=1506628&r2=1506629&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Wed Jul 24 17:02:33 2013
@@ -160,6 +160,11 @@ Subversion project.</p>
<td>1.0.0-1.6.21 and 1.7.0-1.7.9</td>
<td>svnserve remotely triggerable DoS</td>
</tr>
+<tr>
+<td><a href="CVE-2013-4131-advisory.txt">CVE-2013-4131-advisory.txt</a></td>
+<td>1.6.0-1.7.10 and 1.8.0</td>
+<td>mod_dav_svn assertion from requests against root path</td>
+</tr>
</tbody>
</table>