You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Daniel Shahaf <da...@apache.org> on 2017/08/10 18:04:26 UTC

[SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released

I'm happy to announce the release of Apache Subversion 1.9.7.
Please choose the mirror closest to you by visiting:

    http://subversion.apache.org/download.cgi?update=201708081800#recommended-release

This is a stable security release of the Apache Subversion open source
version control system.  It fixes one security issue:

    CVE-2017-9800:
    Arbitrary code execution on clients through malicious svn+ssh URLs in
    svn:externals and svn:sync-from-url
    http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

The SHA1 checksums are:

    874b81749cdc3e88152d103243c3623ac6338388 subversion-1.9.7.tar.bz2
    1a5f48acf9d0faa60e8c7aea96a9b29ab1d4dcac subversion-1.9.7.tar.gz
    741727b62596bf27f75838c46d1bb6938c83fbd7 subversion-1.9.7.zip

SHA-512 checksums are available at:

    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.sha512
    https://www.apache.org/dist/subversion/subversion-1.9.7.zip.sha512

PGP Signatures are available at:

    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.asc
    http://www.apache.org/dist/subversion/subversion-1.9.7.zip.asc

For this release, the following people have provided PGP signatures:

   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint:
    E7B2 A7F4 EC28 BE9F F8B3  8BA4 B64F FF12 09F9 FA74
   Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint:
    7B8C A7F6 451A D89C 8ADC  077B 376A 3CFD 110B 1C95
   Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint:
    E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444
   Philip Martin [2048R/76D788E1ED1A599C] with fingerprint:
    A844 790F B574 3606 EE95  9207 76D7 88E1 ED1A 599C

Release notes for the 1.9.x release series may be found at:

    http://subversion.apache.org/docs/release-notes/1.9.html

You can find the list of changes between 1.9.7 and earlier versions at:

    http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team

Re: [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released

Posted by Daniel Shahaf <da...@apache.org>.

Daniel Shahaf wrote on Thu, 10 Aug 2017 18:04 +0000:
> I'm happy to announce the release of Apache Subversion 1.9.7.
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download.cgi?update=201708081800#recommended-release
> 
> This is a stable security release of the Apache Subversion open source
> version control system.  It fixes one security issue:
> 
>     CVE-2017-9800:
>     Arbitrary code execution on clients through malicious svn+ssh URLs in
>     svn:externals and svn:sync-from-url
>     http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

This was a coordinated release, here are the other coordinated announcements:

  CVE-2017-12426 (GitLab)
  https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/

  CVE-2017-1000116 (Mercurial (hg))
  https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-August/102699.html

  CVE-2017-1000117 (Git)
  https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u

Re: [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released

Posted by Daniel Shahaf <da...@apache.org>.

Daniel Shahaf wrote on Thu, 10 Aug 2017 18:04 +0000:
> I'm happy to announce the release of Apache Subversion 1.9.7.
> Please choose the mirror closest to you by visiting:
> 
>     http://subversion.apache.org/download.cgi?update=201708081800#recommended-release
> 
> This is a stable security release of the Apache Subversion open source
> version control system.  It fixes one security issue:
> 
>     CVE-2017-9800:
>     Arbitrary code execution on clients through malicious svn+ssh URLs in
>     svn:externals and svn:sync-from-url
>     http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

This was a coordinated release, here are the other coordinated announcements:

  CVE-2017-12426 (GitLab)
  https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/

  CVE-2017-1000116 (Mercurial (hg))
  https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-August/102699.html

  CVE-2017-1000117 (Git)
  https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u