You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2013/05/31 22:32:18 UTC
svn commit: r1488389 - in /subversion/site/publish/security:
CVE-2013-1968-advisory.txt CVE-2013-2088-advisory.txt
CVE-2013-2112-advisory.txt index.html
Author: breser
Date: Fri May 31 20:32:17 2013
New Revision: 1488389
URL: http://svn.apache.org/r1488389
Log:
Add security advisories for 1.6.23 and 1.7.10
Added:
subversion/site/publish/security/CVE-2013-1968-advisory.txt
subversion/site/publish/security/CVE-2013-2088-advisory.txt
subversion/site/publish/security/CVE-2013-2112-advisory.txt
Modified:
subversion/site/publish/security/index.html
Added: subversion/site/publish/security/CVE-2013-1968-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-1968-advisory.txt?rev=1488389&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-1968-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-1968-advisory.txt Fri May 31 20:32:17 2013
@@ -0,0 +1,335 @@
+ Subversion FSFS repositories can be corrupted by newline characters in
+ filenames
+
+Summary:
+========
+
+ If a filename which contains a newline character (ASCII 0x0a) is
+ committed to a repository using the FSFS format, the resulting
+ revision is corrupt.
+
+ This can lead to disruption for users of the repository.
+
+Known vulnerable:
+=================
+
+ Subversion servers through 1.7.9 (inclusive).
+ Subversion servers through 1.6.21 (inclusive).
+
+Known fixed:
+============
+
+ Subversion 1.7.10
+ Subversion 1.6.23
+ Subversion 1.8.0
+
+Details:
+========
+
+ The FSFS repository stores data for each revision in a revision file.
+
+ Filename data in the revision file is stored on a line-per-line basis.
+ If a filename itself contains a newline character (ASCII 0x0a), this
+ newline is incorrectly treated as a line separator, rather than as
+ part of the filename.
+
+ Affected revisions cannot be read correctly and cause some Subversion
+ commands to fail. Known symptoms of the problem include:
+
+ 1) 'svnadmin verify' is known to fail with errors beginning with:
+ "svnadmin: E160013: File not found:"
+
+ 2) 'svnsync' fails to replicate the revision.
+
+ Apache Subversion clients have always rejected such filenames, so this
+ issue cannot be triggered with stock Subversion clients. It could,
+ however, be triggered by custom malicious Subversion clients or by
+ third-party client implementations.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 4.9
+ CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:P
+
+ We consider this to be a medium risk vulnerability. Configurations which
+ allow anonymous write access to the repository will be vulnerable to this
+ without authentication.
+
+ A remote authenticated attacker with commit access may be able to corrupt
+ repositories on a Subversion server and cause disruption for other users.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.7.10 or 1.6.23.
+ Users who are unable to upgrade may apply the included patches.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ A workaround is to install the control-chars.py hook script as the
+ pre-commit hook, which will prevent bad filenames from entering the
+ repository. The script is available at this URL:
+ https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/control-chars.py
+
+References:
+===========
+
+ CVE-2013-1968 (Subversion)
+
+Reported by:
+============
+
+ Stefan Sperling, elego Software Solutions GmbH
+
+Patches:
+========
+
+Patch for Subversion 1.7:
+
+[[[
+Index: subversion/libsvn_fs_fs/tree.c
+===================================================================
+--- subversion/libsvn_fs_fs/tree.c (revision 1485181)
++++ subversion/libsvn_fs_fs/tree.c (revision 1485182)
+@@ -44,6 +44,7 @@
+ #include "svn_private_config.h"
+ #include "svn_pools.h"
+ #include "svn_error.h"
++#include "svn_ctype.h"
+ #include "svn_dirent_uri.h"
+ #include "svn_path.h"
+ #include "svn_mergeinfo.h"
+@@ -1806,7 +1807,79 @@ fs_dir_entries(apr_hash_t **table_p,
+ return svn_fs_fs__dag_dir_entries(table_p, node, pool, pool);
+ }
+
++/* Return a copy of PATH, allocated from POOL, for which control
++ characters have been escaped using the form \NNN (where NNN is the
++ octal representation of the byte's ordinal value). */
++static const char *
++illegal_path_escape(const char *path, apr_pool_t *pool)
++{
++ svn_stringbuf_t *retstr;
++ apr_size_t i, copied = 0;
++ int c;
+
++ /* At least one control character:
++ strlen - 1 (control) + \ + N + N + N + null . */
++ retstr = svn_stringbuf_create_ensure(strlen(path) + 4, pool);
++ for (i = 0; path[i]; i++)
++ {
++ c = (unsigned char)path[i];
++ if (! svn_ctype_iscntrl(c))
++ continue;
++
++ /* If we got here, we're looking at a character that isn't
++ supported by the (or at least, our) URI encoding scheme. We
++ need to escape this character. */
++
++ /* First things first, copy all the good stuff that we haven't
++ yet copied into our output buffer. */
++ if (i - copied)
++ svn_stringbuf_appendbytes(retstr, path + copied,
++ i - copied);
++
++ /* Make sure buffer is big enough for '\' 'N' 'N' 'N' (and NUL) */
++ svn_stringbuf_ensure(retstr, retstr->len + 5);
++ /*### The backslash separator doesn't work too great with Windows,
++ but it's what we'll use for consistency with invalid utf8
++ formatting (until someone has a better idea) */
++ apr_snprintf(retstr->data + retstr->len, 5, "\\%03o", (unsigned char)c);
++ retstr->len += 4;
++
++ /* Finally, update our copy counter. */
++ copied = i + 1;
++ }
++
++ /* If we didn't encode anything, we don't need to duplicate the string. */
++ if (retstr->len == 0)
++ return path;
++
++ /* Anything left to copy? */
++ if (i - copied)
++ svn_stringbuf_appendbytes(retstr, path + copied, i - copied);
++
++ /* retstr is null-terminated either by apr_snprintf or the svn_stringbuf
++ functions. */
++
++ return retstr->data;
++}
++
++/* Raise an error if PATH contains a newline because FSFS cannot handle
++ * such paths. See issue #4340. */
++static svn_error_t *
++check_newline(const char *path, apr_pool_t *pool)
++{
++ const char *c;
++
++ for (c = path; *c; c++)
++ {
++ if (*c == '\n')
++ return svn_error_createf(SVN_ERR_FS_PATH_SYNTAX, NULL,
++ _("Invalid control character '0x%02x' in path '%s'"),
++ (unsigned char)*c, illegal_path_escape(path, pool));
++ }
++
++ return SVN_NO_ERROR;
++}
++
+ /* Create a new directory named PATH in ROOT. The new directory has
+ no entries, and no properties. ROOT must be the root of a
+ transaction, not a revision. Do any necessary temporary allocation
+@@ -1820,6 +1893,8 @@ fs_make_dir(svn_fs_root_t *root,
+ dag_node_t *sub_dir;
+ const char *txn_id = root->txn;
+
++ SVN_ERR(check_newline(path, pool));
++
+ SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,
+ txn_id, pool));
+
+@@ -2082,6 +2157,8 @@ fs_copy(svn_fs_root_t *from_root,
+ const char *to_path,
+ apr_pool_t *pool)
+ {
++ SVN_ERR(check_newline(to_path, pool));
++
+ return svn_error_trace(copy_helper(from_root, from_path, to_root, to_path,
+ TRUE, pool));
+ }
+@@ -2174,6 +2251,8 @@ fs_make_file(svn_fs_root_t *root,
+ dag_node_t *child;
+ const char *txn_id = root->txn;
+
++ SVN_ERR(check_newline(path, pool));
++
+ SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,
+ txn_id, pool));
+
+]]]
+
+Patch for Subversion 1.6:
+
+[[[
+Index: subversion/libsvn_fs_fs/tree.c
+===================================================================
+--- subversion/libsvn_fs_fs/tree.c (revision 1485298)
++++ subversion/libsvn_fs_fs/tree.c (revision 1485299)
+@@ -43,6 +43,7 @@
+ #include "svn_mergeinfo.h"
+ #include "svn_fs.h"
+ #include "svn_props.h"
++#include "svn_ctype.h"
+
+ #include "fs.h"
+ #include "err.h"
+@@ -1810,7 +1811,79 @@ fs_dir_entries(apr_hash_t **table_p,
+ return svn_fs_fs__dag_dir_entries(table_p, node, pool, pool);
+ }
+
++/* Return a copy of PATH, allocated from POOL, for which control
++ characters have been escaped using the form \NNN (where NNN is the
++ octal representation of the byte's ordinal value). */
++static const char *
++illegal_path_escape(const char *path, apr_pool_t *pool)
++{
++ svn_stringbuf_t *retstr;
++ apr_size_t i, copied = 0;
++ int c;
+
++ /* At least one control character:
++ strlen - 1 (control) + \ + N + N + N + null . */
++ retstr = svn_stringbuf_create_ensure(strlen(path) + 4, pool);
++ for (i = 0; path[i]; i++)
++ {
++ c = (unsigned char)path[i];
++ if (! svn_ctype_iscntrl(c))
++ continue;
++
++ /* If we got here, we're looking at a character that isn't
++ supported by the (or at least, our) URI encoding scheme. We
++ need to escape this character. */
++
++ /* First things first, copy all the good stuff that we haven't
++ yet copied into our output buffer. */
++ if (i - copied)
++ svn_stringbuf_appendbytes(retstr, path + copied,
++ i - copied);
++
++ /* Make sure buffer is big enough for '\' 'N' 'N' 'N' (and NUL) */
++ svn_stringbuf_ensure(retstr, retstr->len + 5);
++ /*### The backslash separator doesn't work too great with Windows,
++ but it's what we'll use for consistency with invalid utf8
++ formatting (until someone has a better idea) */
++ apr_snprintf(retstr->data + retstr->len, 5, "\\%03o", (unsigned char)c);
++ retstr->len += 4;
++
++ /* Finally, update our copy counter. */
++ copied = i + 1;
++ }
++
++ /* If we didn't encode anything, we don't need to duplicate the string. */
++ if (retstr->len == 0)
++ return path;
++
++ /* Anything left to copy? */
++ if (i - copied)
++ svn_stringbuf_appendbytes(retstr, path + copied, i - copied);
++
++ /* retstr is null-terminated either by apr_snprintf or the svn_stringbuf
++ functions. */
++
++ return retstr->data;
++}
++
++/* Raise an error if PATH contains a newline because FSFS cannot handle
++ * such paths. See issue #4340. */
++static svn_error_t *
++check_newline(const char *path, apr_pool_t *pool)
++{
++ const char *c;
++
++ for (c = path; *c; c++)
++ {
++ if (*c == '\n')
++ return svn_error_createf(SVN_ERR_FS_PATH_SYNTAX, NULL,
++ _("Invalid control character '0x%02x' in path '%s'"),
++ (unsigned char)*c, illegal_path_escape(path, pool));
++ }
++
++ return SVN_NO_ERROR;
++}
++
+ /* Create a new directory named PATH in ROOT. The new directory has
+ no entries, and no properties. ROOT must be the root of a
+ transaction, not a revision. Do any necessary temporary allocation
+@@ -1824,6 +1897,8 @@ fs_make_dir(svn_fs_root_t *root,
+ dag_node_t *sub_dir;
+ const char *txn_id = root->txn;
+
++ SVN_ERR(check_newline(path, pool));
++
+ SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,
+ txn_id, pool));
+
+@@ -2086,6 +2161,8 @@ fs_copy(svn_fs_root_t *from_root,
+ const char *to_path,
+ apr_pool_t *pool)
+ {
++ SVN_ERR(check_newline(to_path, pool));
++
+ return copy_helper(from_root, from_path, to_root, to_path, TRUE, pool);
+ }
+
+@@ -2176,6 +2253,8 @@ fs_make_file(svn_fs_root_t *root,
+ dag_node_t *child;
+ const char *txn_id = root->txn;
+
++ SVN_ERR(check_newline(path, pool));
++
+ SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional,
+ txn_id, pool));
+
+]]]
Added: subversion/site/publish/security/CVE-2013-2088-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-2088-advisory.txt?rev=1488389&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-2088-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-2088-advisory.txt Fri May 31 20:32:17 2013
@@ -0,0 +1,178 @@
+ Subversion releases up to 1.6.22 (inclusive), and 1.7.x tags up to 1.7.10
+ (inclusive, but excepting 1.7.x releases made from those tags),
+ include a contrib/ script prone to shell injection by authenticated users,
+ which could result in arbitrary code execution.
+
+Summary:
+========
+
+Subversion's contrib/ directory contains two example hook scripts, which
+use 'svnlook changed' to examine a revision or transaction and then pass
+those paths as arguments to further 'svnlook' commands, without properly
+escaping the command-line.
+
+The contrib/ directory ships in 1.6.x releases, and although it does not
+ship in 1.7.x or 1.8.x releases, is included in the 1.7.x and 1.8.x
+release branches and tags in Subversion's repository.
+
+Known vulnerable:
+=================
+
+ Subversion releases through 1.6.22 (inculsive)
+ Repository revisions branches/1.7.x until r1485487
+ Repository revisions branches/1.8.x until r1485487
+ Subversion tags through 1.7.10 (inclusive)
+
+Known fixed:
+============
+
+ Releases:
+ Subversion 1.6.23
+ Subversion 1.7.0
+ Subversion 1.8.0
+
+ Tags:
+ Subversion 1.6.23
+ Subversion 1.7.11
+ Subvversion 1.8.0-rc3
+ Subvversion 1.8.0
+
+Details:
+========
+
+ The script contrib/hook-scripts/check-mime-type.pl does not escape
+ argv arguments to 'svnlook' that start with a hyphen. This could be
+ used to cause 'svnlook', and hence check-mime-type.pl, to error out.
+
+ The script contrib/hook-scripts/svn-keyword-check.pl parses filenames
+ from the output of 'svnlook changed' and passes them to a further
+ shell command (equivalent to the 'system()' call of the C standard
+ library) without escaping them. This could be used to run arbitrary
+ shell commands in the context of the user whom the pre-commit script
+ runs as (the user who owns the repository).
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 7.1
+ CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
+
+ Most installations of Subversion do not use these contrib scripts, so
+ while the score above is high, we suspect that very few sites are impacted.
+ However, if you do use these scripts, this is a serious issue.
+
+ The check-mime-type.pl issue could only be a problem if 'svnlook' was
+ patched or if a child of the repository root had a name starting with
+ a '-', so it is ranked as low severity.
+
+ The svn-keyword-check.pl issue could be used by any authenticated
+ committer to run shell commands as the server. Anonymous users
+ typically do not have commit access so cannot exploit this. On the
+ other hand, those who can exploit this could, for example, delete
+ the repository from the server disk.
+
+Recommendations:
+================
+
+ We recommend all users to apply the attached patch. The hook scripts
+ have not changed since 1.6.x, so using their latest versions from the
+ repository is (as of this writing) equivalent to applying the patch.
+
+ The fix will be included in the 1.6.23, 1.7.11, and 1.8.0 releases,
+ when those are made.
+
+ A workaround is to ensure that all in-repository filenames are shell-safe,
+ e.g., match the regular expression
+ ^[A-Za-z0-9_:][A-Za-z0-9_:/-]+$
+ . This can be implemented using the provided [validate-files.py] hook
+ script, by providing a command= that checks the environment variable "FILE"
+ against that pattern; for example, command= might point to the following
+ script:
+
+ #!/usr/bin/env python
+ import os, re, sys
+ re = r'^[A-Za-z0-9_:][A-Za-z0-9_:/-]+$'
+ sys.exit(re.compile(re).match(os.getenv("FILE", " ")))
+
+References:
+===========
+
+ CVE-2013-2088 (Subversion)
+
+Patches:
+========
+
+ Patch against 1.6.21, 1.7.x branch/tags, and 1.8.x branch:
+[[[
+Index: contrib/hook-scripts/check-mime-type.pl
+===================================================================
+--- contrib/hook-scripts/check-mime-type.pl (revision 1484585)
++++ contrib/hook-scripts/check-mime-type.pl (working copy)
+@@ -120,7 +120,7 @@ foreach my $path ( @files_added )
+ # Parse the complete list of property values of the file $path to extract
+ # the mime-type and eol-style
+ foreach my $prop (&read_from_process($svnlook, 'proplist', $repos, '-t',
+- $txn, '--verbose', $path))
++ $txn, '--verbose', '--', $path))
+ {
+ if ($prop =~ /^\s*svn:mime-type : (\S+)/)
+ {
+@@ -187,7 +187,7 @@ sub safe_read_from_pipe
+ croak "$0: safe_read_from_pipe passed no arguments.\n";
+ }
+ print "Running @_\n";
+- my $pid = open(SAFE_READ, '-|');
++ my $pid = open(SAFE_READ, '-|', @_);
+ unless (defined $pid)
+ {
+ die "$0: cannot fork: $!\n";
+Index: contrib/hook-scripts/svn-keyword-check.pl
+===================================================================
+--- contrib/hook-scripts/svn-keyword-check.pl (revision 1484585)
++++ contrib/hook-scripts/svn-keyword-check.pl (working copy)
+@@ -141,7 +141,7 @@ sub check {
+ return 1;
+ } else {
+ my @keywords = get_svnkeywords($file);
+- my $fh = _pipe("$svnlook cat $flag $value $repos $file");
++ my $fh = _pipe($svnlook, qw/cat/, $flag, $value, $repos, '--', $file);
+ while (my $line = <$fh>) {
+ foreach my $keyword (@keywords) {
+ if ($line =~ m/$keyword/) {
+@@ -168,7 +168,7 @@ sub file_is_binary {
+ return 0;
+ }
+ if (has_svn_property($file, "svn:mime-type")) {
+- my ($mimetype) = read_from_process("$svnlook propget $flag $value $repos svn:mime-type $file");
++ my ($mimetype) = read_from_process($svnlook, qw/propget/, $flag, $value, $repos, 'svn:mime-type', '--', $file);
+ chomp($mimetype);
+ $mimetype =~ s/^\s*(.*)/$1/;
+ if ($mimetype =~ m/^text\//) {
+@@ -186,7 +186,7 @@ sub file_is_binary {
+ # Return a list of svn:keywords on a file
+ sub get_svnkeywords {
+ my $file = shift;
+- my @lines = read_from_process("$svnlook propget $flag $value $repos svn:keywords $file");
++ my @lines = read_from_process($svnlook, qw/propget/, $flag, $value, $repos, 'svn:keywords', '--', $file);
+ my @returnlines;
+ foreach my $line (@lines) {
+ $line =~ s/\s+/ /;
+@@ -199,7 +199,7 @@ sub get_svnkeywords {
+ sub has_svn_property {
+ my $file = shift;
+ my $keyword = shift;
+- my @proplist = read_from_process("$svnlook proplist $flag $value $repos $file");
++ my @proplist = read_from_process($svnlook, qw/proplist/, $flag, $value, $repos, '--', $file);
+ foreach my $prop (@proplist) {
+ chomp($prop);
+ if ($prop =~ m/\b$keyword\b/) {
+@@ -241,7 +241,7 @@ sub safe_read_from_pipe {
+ # Return the filehandle as a glob so we can loop over it elsewhere.
+ sub _pipe {
+ local *SAFE_READ;
+- my $pid = open(SAFE_READ, '-|');
++ my $pid = open(SAFE_READ, '-|', @_);
+ unless (defined $pid) {
+ die "$0: cannot fork: $!\n";
+ }
+]]]
Added: subversion/site/publish/security/CVE-2013-2112-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-2112-advisory.txt?rev=1488389&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-2112-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-2112-advisory.txt Fri May 31 20:32:17 2013
@@ -0,0 +1,120 @@
+ Subversion svnserve servers up to 1.7.9 (inclusive) are vulnerable
+ to a remotely triggerable DoS vulnerability.
+
+Summary:
+========
+
+ Subversion's svnserve server process may exit when an incoming TCP connection
+ is closed early in the connection process.
+
+ This can lead to disruption for users of the server.
+
+Known vulnerable:
+=================
+
+ Subversion servers through 1.7.9 (inclusive).
+ Subversion servers through 1.6.21 (inclusive).
+
+Known fixed:
+============
+
+ Subversion 1.7.10
+ Subversion 1.6.23
+ Subversion 1.8.0
+ mod_dav_svn (any version) is not vulnerable.
+
+Details:
+========
+
+ During a connection attempt svnserve improperly treats aborted connections
+ as critical errors, prints an error message and exits. The error message
+ will look like this:
+ svnserve: E000053: Can't accept client connection: Software caused connection abort
+
+ The problem is that svnserve is not properly checking for aborted connection
+ error returns from the accept() call.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 7.8
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
+
+ We consider this to be a medium risk vulnerability. An exploit exists and
+ has been tested to work against this vulnerability. We do not believe the
+ exploit is being actively used in the wild at this time.
+
+ A remote attacker can cause svnserve to exit and thus deny service to users
+ of the server. The attack does not require that the attacker authenticate.
+
+ Due to differences in implementations of their TCP stacks some operating
+ systems may be more or less prone to this behavior. FreeBSD and OpenBSD are
+ known to be particularly vulnerable. We believe that this is still possible
+ with all operating systems though.
+
+ svnserve when used in inetd, tunnel (svn+ssh), and Win32 service modes is
+ not vulnerable as they do not use the accept() call in question.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.7.10 or 1.6.23.
+ Users who are unable to upgrade may apply the included patches.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ Using svnserve in inetd, tunnel or Win32 service modes can be used to
+ mitigate this problem. There are no known methods to mitigate this attack
+ in daemon mode.
+
+References:
+===========
+
+ CVE-2013-2112 (Subversion)
+
+Reported by:
+============
+
+ Boris Lytochkin, Yandex
+
+Patches:
+========
+
+Patch for Subversion 1.7
+[[[
+Index: subversion/svnserve/main.c
+===================================================================
+--- subversion/svnserve/main.c (revision 1485046)
++++ subversion/svnserve/main.c (revision 1485047)
+@@ -963,7 +963,9 @@
+ connection_pool) == APR_CHILD_DONE)
+ ;
+ }
+- if (APR_STATUS_IS_EINTR(status))
++ if (APR_STATUS_IS_EINTR(status)
++ || APR_STATUS_IS_ECONNABORTED(status)
++ || APR_STATUS_IS_ECONNRESET(status))
+ {
+ svn_pool_destroy(connection_pool);
+ continue;
+]]]
+
+Patch for Subversion 1.6
+[[[
+Index: subversion/svnserve/main.c
+===================================================================
+--- subversion/svnserve/main.c (revision 1485044)
++++ subversion/svnserve/main.c (revision 1485045)
+@@ -773,7 +773,9 @@
+ connection_pool) == APR_CHILD_DONE)
+ ;
+ }
+- if (APR_STATUS_IS_EINTR(status))
++ if (APR_STATUS_IS_EINTR(status)
++ || APR_STATUS_IS_ECONNABORTED(status)
++ || APR_STATUS_IS_ECONNRESET(status))
+ {
+ svn_pool_destroy(connection_pool);
+ continue;
+]]]
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1488389&r1=1488388&r2=1488389&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Fri May 31 20:32:17 2013
@@ -145,6 +145,21 @@ Subversion project.</p>
<td>1.7.0-1.7.8</td>
<td>mod_dav_svn crashes on out of range limit in log REPORT request</td>
</tr>
+<tr>
+<td><a href="CVE-2013-1968-advisory.txt">CVE-2013-1968-advisory.txt</a></td>
+<td>1.1.0-1.6.23 and 1.7.0-1.7.9</td>
+<td>fsfs repositories can be corrupted by newline characters in filenames</td>
+</tr>
+<tr>
+<td><a href="CVE-2013-2088-advisory.txt">CVE-2013-2088-advisory.txt</a></td>
+<td>1.2.0-1.6.23 tarballs and repository revisions until r1485487 on /branches/1.7.x and /branches/1.8.x and subversion tags through 1.7.10 (Note: We do not ship the contrib directory in our tarballs from 1.7.0 on)</td>
+<td>contrib hook-scripts can allow arbitrary code execution</td>
+</tr>
+<tr>
+<td><a href="CVE-2013-2112-advisory.txt">CVE-2013-2112-advisory.txt</a></td>
+<td>1.0.0-1.6.21 and 1.7.0-1.7.9</td>
+<td>svnserve remotely triggerable DoS</td>
+</tr>
</tbody>
</table>