You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2013/11/25 17:54:48 UTC
svn commit: r1545341 - in /subversion/site/publish: doap.rdf
docs/release-notes/release-history.html download/download.html index.html
news.html security/CVE-2013-4505-advisory.txt
security/CVE-2013-4558-advisory.txt security/index.html
Author: breser
Date: Mon Nov 25 16:54:47 2013
New Revision: 1545341
URL: http://svn.apache.org/r1545341
Log:
Update site for 1.7.14 and 1.8.5 releases (including CVE advisory publication)
Added:
subversion/site/publish/security/CVE-2013-4505-advisory.txt
subversion/site/publish/security/CVE-2013-4558-advisory.txt
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Mon Nov 25 16:54:47 2013
@@ -37,15 +37,15 @@
<release>
<Version>
<name>Recommended current 1.8 release</name>
- <created>2013-10-29</created>
- <revision>1.8.4</revision>
+ <created>2013-11-25</created>
+ <revision>1.8.5</revision>
</Version>
</release>
<release>
<Version>
<name>Current 1.7 release</name>
- <created>2013-08-30</created>
- <revision>1.7.13</revision>
+ <created>2013-11-25</created>
+ <revision>1.7.14</revision>
</Version>
</release>
<repository>
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Mon Nov 25 16:54:47 2013
@@ -31,6 +31,12 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.8.5</b> (Monday, 25 November 2013): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.7.14</b> (Monday, 25 November 2013): Bugfix/security release.
+ </li>
+ <li>
<b>Subversion 1.8.4</b> (Tuesday, 29 October 2013): Bugfix release.
</li>
<li>
Modified: subversion/site/publish/download/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.html?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/download/download.html (original)
+++ subversion/site/publish/download/download.html Mon Nov 25 16:54:47 2013
@@ -1,7 +1,7 @@
<h1>Download Source Code</h1>
-[define version]1.8.4[end]
-[define supported]1.7.13[end]
+[define version]1.8.5[end]
+[define supported]1.7.14[end]
<!-- [define prerelease]1.8.0-rc3[end] -->
<div class="bigpoint">
@@ -91,17 +91,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">6e7ac5b56ec22995c763a668c658577f96f2c090</td>
+ <td class="checksum">d21de7daf37d9dd1cb0f777e999a529b96f83082</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">d114557f5de725890ba285f1902983196a11d7ad</td>
+ <td class="checksum">2859de4cdce4494cecc7a71df4dfbf7a765d7759</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">6753989f5c6909dac74e3109547bf4794d3002d4</td>
+ <td class="checksum">66643c80041fedf585c8f4537331212e821aeef5</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -128,17 +128,17 @@ Other mirrors:
<th>Signatures</th>
</tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">844bb756ec505edaa12b9610832bcd21567139f1</td>
+ <td class="checksum">b35254a844d0b221a3fd8e80974ac75119d77b94</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">9fa8d49a18e58403ce5b855e65f748ddd86bba09</td>
+ <td class="checksum">0bdea1c7c20598cd4b6869bf00f6df84fd17d769</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">3dad15f19dd43477cc48174a0284e792e32b7a97</td>
+ <td class="checksum">3875467f272cd3e78d12ac57dc42d6e690033494</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Mon Nov 25 16:54:47 2013
@@ -64,63 +64,63 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20131029">
-<h3>2013-10-29 — Apache Subversion 1.8.4 Released
- <a class="sectionlink" href="#news-20131029"
+<div class="h3" id="news-20131125-2">
+<h3>2013-11-25 — Apache Subversion 1.8.5 Released
+ <a class="sectionlink" href="#news-20131125-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.4.
+<p>We are pleased to announce the release of Apache Subversion 1.8.5.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201310.mbox/%3C526FD988.9040608@apache.org%3E"
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FEB.1070508@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.4/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.5/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
<a href="/download/#recommended-release">download page</a>.</p>
- </div> <!-- #news-20131029 -->
+</div> <!-- #news-20131125-2 -->
- <div class="h3" id="news-20130830-2">
-<h3>2013-08-30 — Apache Subversion 1.8.3 Released
- <a class="sectionlink" href="#news-20130830-2"
+<div class="h3" id="news-20131125-1">
+<h3>2013-11-25 — Apache Subversion 1.7.14 Released
+ <a class="sectionlink" href="#news-20131125-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.3.
- This is the most complete Subversion release to date, and we encourage
- users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201308.mbox/%3C5220BB7D.7010506@apache.org%3E"
+<p>We are pleased to announce the release of Apache Subversion 1.7.14.
+ This is the most complete Subversion release in the 1.7 series to date,
+ and we encourage users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.14/CHANGES"
>change log</a> for more information about this release.</p>
-<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#recommended-release">download page</a>.</p>
+<p>To get this release please visit our
+ <a href="/download/#supported-releases">download page</a>.</p>
-</div> <!-- #news-20130830-2 -->
+</div> <!-- #news-20131125-1 -->
-<div class="h3" id="news-20130830-1">
-<h3>2013-08-30 — Apache Subversion 1.7.13 Released
- <a class="sectionlink" href="#news-20130830-1"
+<div class="h3" id="news-20131029">
+<h3>2013-10-29 — Apache Subversion 1.8.4 Released
+ <a class="sectionlink" href="#news-20131029"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.7.13.
- This is the most complete Subversion release in the 1.7 series to date,
- and we encourage users of Subversion to upgrade as soon as reasonable.
- Please see the
- <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201308.mbox/%3C5220BB8A.2000704@apache.org%3E"
+<p>We are pleased to announce the release of Apache Subversion 1.8.4.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-dev/201310.mbox/%3C526FD988.9040608@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.4/CHANGES"
>change log</a> for more information about this release.</p>
-<p>To get this release please visit our
- <a href="/download/#supported-releases">download page</a>.</p>
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p>
-</div> <!-- #news-20130830-1 -->
+</div> <!-- #news-20131029 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Mon Nov 25 16:54:47 2013
@@ -22,6 +22,45 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20131125-2">
+<h3>2013-11-25 — Apache Subversion 1.8.5 Released
+ <a class="sectionlink" href="#news-20131125-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.5.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FEB.1070508@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.5/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20131125-2 -->
+
+<div class="h3" id="news-20131125-1">
+<h3>2013-11-25 — Apache Subversion 1.7.14 Released
+ <a class="sectionlink" href="#news-20131125-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.7.14.
+ This is the most complete Subversion release in the 1.7 series to date,
+ and we encourage users of Subversion to upgrade as soon as reasonable.
+ Please see the
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201311.mbox/%3C52937FE1.2030700@apache.org%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.14/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release please visit our
+ <a href="/download/#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20131125-1 -->
+
<div class="h3" id="news-20131029">
<h3>2013-10-29 — Apache Subversion 1.8.4 Released
<a class="sectionlink" href="#news-20131029"
Added: subversion/site/publish/security/CVE-2013-4505-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-4505-advisory.txt?rev=1545341&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-4505-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-4505-advisory.txt Mon Nov 25 16:54:47 2013
@@ -0,0 +1,240 @@
+ mod_dontdothat does not restrict requests from serf based clients.
+
+Summary:
+========
+
+ mod_dontdothat allows you to block update REPORT requests against certain
+ paths in the repository. It expects the paths in the REPORT request
+ to be absolute URLs. Serf based clients send relative URLs instead
+ of absolute URLs in many cases. As a result these clients are not blocked
+ as configured by mod_dontdothat.
+
+Known vulnerable:
+=================
+
+ mod_dontdothat 1.4.0 through 1.7.13
+ mod_dontdothat 1.8.0 through 1.8.4
+
+ Note that mod_dontdothat was in contrib until 1.7.3 and contrib is not
+ included in Subversion source tarballs since 1.7.0, so Subversion 1.7.0
+ through 1.7.2 did not included mod_dontdothat (it was still available
+ from the repository tags for those versions under contrib).
+
+Known fixed:
+============
+
+ mod_dontdothat 1.7.14
+ mod_dontdothat 1.8.5
+
+Details:
+========
+
+ mod_dontdothat allows the blocking of certain update REPORT requests based
+ on the paths of the requests. This is typically done to block requests
+ against the root of the repository or the tags and branches directories where
+ there may be large trees and require a large amount of server resources to
+ fulfill.
+
+ Update REPORT requests are used to fulfill requests from the client for the
+ following commands:
+ checkout
+ update
+ export
+ diff (when a server URL or revision other than the BASE is specified)
+ status -u
+ copy $URL $WC
+
+ The request body for the request includes a src-path and sometimes a
+ dst-path entity. mod_dontdothat matches those paths against the configured
+ paths to deny. When matching the src-path and dst-path, mod_dontdothat
+ expects that an absolute URL will be provided. However, serf clients in the
+ case of the src-path entity only provided a relative path. Relative paths
+ have been supported by mod_dav_svn since before Subversion 1.0, but neon
+ based clients never produced them.
+
+ When a path is not an absolute URL then mod_dontdothat allowed the request.
+ As a result a serf client was not blocked by mod_dontdothat. It's possible
+ for other clients to be modified to avoid the restrictions as well, though
+ we are unaware of anyone doing so.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 2.6
+ CVSSv2 Base Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P
+
+ We consider this to be a low risk vulnerability. mod_dontdothat is not
+ typically installed. It is not intended or useful as an access control
+ mechanism. Rather it exists primarily to prevent users unintentionally
+ making expensive requests against the server.
+
+ Clients may be able to use more resources than the server admin may have
+ expected and planned for based on their configuration. This increased
+ resource usage may impact performance and the availability of the server.
+
+ A server admin who has configured mod_dontdothat would expect matching
+ update REPORT requests to be blocked, but they will not be with serf based
+ clients. Serf was added as a http library in Subversion 1.4 as a compile
+ time option. In 1.5 it was possible to chose it at run time, provided it
+ had been enabled at compile time. With 1.8 it became the only supported
+ http library.
+
+ As a result clients that can evade these restrictions are in common use and
+ no special effort is required to do so.
+
+Recommendations:
+================
+
+ Admins using mod_dontdothat are advised to upgrade to 1.7.14 or 1.8.5.
+
+ It may be possible to configure http to disable all requests without an
+ absolute URL in the update REPORT requests. However, doing so has the
+ effect of disabling all serf based clients. Given that serf is the only
+ http library for 1.8.x we do not recommend doing so.
+
+References:
+===========
+
+ CVE-2013-4505 (Subversion)
+
+Reported by:
+============
+
+ Ben Reser, WANdisco
+
+Patches:
+========
+
+Patch for Subversion 1.7.x and 1.8.x:
+[[[
+Index: tools/server-side/mod_dontdothat/mod_dontdothat.c
+===================================================================
+--- tools/server-side/mod_dontdothat/mod_dontdothat.c (revision 1541183)
++++ tools/server-side/mod_dontdothat/mod_dontdothat.c (working copy)
+@@ -30,6 +30,7 @@
+ #include <util_filter.h>
+ #include <ap_config.h>
+ #include <apr_strings.h>
++#include <apr_uri.h>
+
+ #include <expat.h>
+
+@@ -36,6 +37,8 @@
+ #include "mod_dav_svn.h"
+ #include "svn_string.h"
+ #include "svn_config.h"
++#include "svn_path.h"
++#include "private/svn_fspath.h"
+
+ module AP_MODULE_DECLARE_DATA dontdothat_module;
+
+@@ -161,6 +164,34 @@
+ }
+ }
+
++/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */
++static void
++log_dav_err(request_rec *r,
++ dav_error *err,
++ int level)
++{
++ dav_error *errscan;
++
++ /* Log the errors */
++ /* ### should have a directive to log the first or all */
++ for (errscan = err; errscan != NULL; errscan = errscan->prev) {
++ apr_status_t status;
++
++ if (errscan->desc == NULL)
++ continue;
++
++#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)
++ status = errscan->aprerr;
++#else
++ status = errscan->save_errno;
++#endif
++
++ ap_log_rerror(APLOG_MARK, level, status, r,
++ "%s [%d, #%d]",
++ errscan->desc, errscan->status, errscan->error_id);
++ }
++}
++
+ static svn_boolean_t
+ is_this_legal(dontdothat_filter_ctx *ctx, const char *uri)
+ {
+@@ -167,20 +198,37 @@
+ const char *relative_path;
+ const char *cleaned_uri;
+ const char *repos_name;
++ const char *uri_path;
+ int trailing_slash;
+ dav_error *derr;
+
+- /* Ok, so we need to skip past the scheme, host, etc. */
+- uri = ap_strstr_c(uri, "://");
+- if (uri)
+- uri = ap_strchr_c(uri + 3, '/');
++ /* uri can be an absolute uri or just a path, we only want the path to match
++ * against */
++ if (uri && svn_path_is_url(uri))
++ {
++ apr_uri_t parsed_uri;
++ apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri);
++ if (APR_SUCCESS != rv)
++ {
++ /* Error parsing the URI, log and reject request. */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r,
++ "mod_dontdothat: blocked request after failing "
++ "to parse uri: '%s'", uri);
++ return FALSE;
++ }
++ uri_path = parsed_uri.path;
++ }
++ else
++ {
++ uri_path = uri;
++ }
+
+- if (uri)
++ if (uri_path)
+ {
+ const char *repos_path;
+
+ derr = dav_svn_split_uri(ctx->r,
+- uri,
++ uri_path,
+ ctx->cfg->base_path,
+ &cleaned_uri,
+ &trailing_slash,
+@@ -194,7 +242,7 @@
+ if (! repos_path)
+ repos_path = "";
+
+- repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path);
++ repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool);
+
+ /* First check the special cases that are always legal... */
+ for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx)
+@@ -228,7 +276,20 @@
+ }
+ }
+ }
++ else
++ {
++ log_dav_err(ctx->r, derr, APLOG_ERR);
++ return FALSE;
++ }
++
+ }
++ else
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
++ "mod_dontdothat: empty uri passed to is_this_legal(), "
++ "module bug?");
++ return FALSE;
++ }
+
+ return TRUE;
+ }
+]]]
Added: subversion/site/publish/security/CVE-2013-4558-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2013-4558-advisory.txt?rev=1545341&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2013-4558-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2013-4558-advisory.txt Mon Nov 25 16:54:47 2013
@@ -0,0 +1,112 @@
+ mod_dav_svn assertion triggered by non-canonical URLs in autoversioning
+ commits.
+
+Summary:
+========
+
+ When SVNAutoversioning is enabled via
+
+ SVNAutoversioning on
+
+ commits can be made by single HTTP requests such as MKCOL and
+ PUT. If Subversion is built with assertions enabled any such
+ requests that have non-canonical URLs, such as URLs with a
+ trailing /, may trigger an assert. An assert will cause the
+ Apache process to abort.
+
+Known vulnerable:
+=================
+
+ mod_dav_svn 1.7.11 through 1.7.13
+ mod_dav_svn 1.8.1 through 1.8.4
+
+Known fixed:
+============
+
+ mod_dav_svn 1.7.14
+ mod_dav_svn 1.8.5
+
+Details:
+========
+
+ Given a repository located at http://example.com/repos the assert can
+ be triggered by commands like:
+
+ curl -X PUT http://example.com/repos/A/
+ curl -X MKCOL http://example.com/repos/A/../B
+
+ The assert happens after the commit has happened in the repository
+ and will not occur if the commit is rejected.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 3.5
+ CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P
+
+ We consider this to be a low risk vulnerability.
+
+ The attacker needs to have commit access to the repository to
+ exploit the vulnerability.
+
+ Most Subversion servers do not have autoversioning enabled.
+
+ In order for there to be any impact assertions must have been enabled when
+ mod_dav_svn was built. In this case if assertions are disabled there is no
+ impact. They are enabled by default on *nix and disabled on Windows.
+
+ The assertion will cause the http server process to abort. Apache httpd
+ servers using a prefork MPM will simply start a new process to replace
+ the process that died. Servers using threaded MPMs may be processing other
+ requests in the same process as the process that the attack causes to die.
+ In either case there is an increased processing impact of restarting a
+ process and the cost of per process caches being lost.
+
+Recommendations:
+================
+
+ We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or
+ newer.
+
+ Disabling SVNAutoversioning will avoid the problem.
+
+ Building Subversion with assertions disabled will avoid the problem.
+ This can be done using the -disable-debug option to configure on *nix and
+ by using a Release buld profile on Windows.
+
+References:
+===========
+
+ CVE-2013-4558 (Subversion)
+
+Reported by:
+============
+
+ Philip Martin, WANdisco
+
+Patches:
+========
+
+Patch for Subversion 1.7.x and 1.8.x:
+[[[
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c (revision 1539596)
++++ subversion/mod_dav_svn/repos.c (working copy)
+@@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource,
+ parent->info = parentinfo;
+
+ parentinfo->uri_path =
+- svn_stringbuf_create(get_parent_path(resource->info->uri_path->data,
+- TRUE, resource->pool),
+- resource->pool);
++ svn_stringbuf_create(
++ get_parent_path(
++ svn_urlpath__canonicalize(resource->info->uri_path->data,
++ resource->pool),
++ TRUE, resource->pool),
++ resource->pool);
+ parentinfo->repos = resource->info->repos;
+ parentinfo->root = resource->info->root;
+ parentinfo->r = resource->info->r;
+]]]
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1545341&r1=1545340&r2=1545341&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Mon Nov 25 16:54:47 2013
@@ -180,6 +180,16 @@ Subversion project.</p>
<td>1.4.0-1.7.12 and 1.8.0-1.8.2</td>
<td>svnserve: symlink attack against pid file</td>
</tr>
+<tr>
+<td><a href="CVE-2013-4505-advisory.txt">CVE-2013-4505-advisory.txt</a></td>
+<td>1.4.0-1.7.13 and 1.8.0-1.8.4</td>
+<td>mod_dontdothat does not restrict requests from serf based clients</td>
+</tr>
+<tr>
+<td><a href="CVE-2013-4558-advisory.txt">CVE-2013-4558-advisory.txt</a></td>
+<td>1.7.11-1.7.13 and 1.8.1-1.8.4</td>
+<td>mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits</td>
+</tr>
</tbody>
</table>