You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2015/03/31 14:12:23 UTC
svn commit: r1670313 - in /subversion/site/publish: ./ docs/release-notes/
download/ security/
Author: stsp
Date: Tue Mar 31 12:12:23 2015
New Revision: 1670313
URL: http://svn.apache.org/r1670313
Log:
Update website for 1.8.13 and 1.7.20 releases.
Added:
subversion/site/publish/security/CVE-2015-0202-advisory.txt (with props)
subversion/site/publish/security/CVE-2015-0248-advisory.txt (with props)
subversion/site/publish/security/CVE-2015-0251-advisory.txt (with props)
Modified:
subversion/site/publish/doap.rdf
subversion/site/publish/docs/release-notes/release-history.html
subversion/site/publish/download/download.cgi
subversion/site/publish/download/download.html
subversion/site/publish/index.html
subversion/site/publish/news.html
subversion/site/publish/security/index.html
Modified: subversion/site/publish/doap.rdf
URL: http://svn.apache.org/viewvc/subversion/site/publish/doap.rdf?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/doap.rdf (original)
+++ subversion/site/publish/doap.rdf Tue Mar 31 12:12:23 2015
@@ -37,15 +37,15 @@
<release>
<Version>
<name>Recommended current 1.8 release</name>
- <created>2014-12-15</created>
- <revision>1.8.11</revision>
+ <created>2015-03-31</created>
+ <revision>1.8.13</revision>
</Version>
</release>
<release>
<Version>
<name>Current 1.7 release</name>
- <created>2014-12-15</created>
- <revision>1.7.19</revision>
+ <created>2015-03-31</created>
+ <revision>1.7.20</revision>
</Version>
</release>
<repository>
Modified: subversion/site/publish/docs/release-notes/release-history.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/release-history.html?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/release-history.html (original)
+++ subversion/site/publish/docs/release-notes/release-history.html Tue Mar 31 12:12:23 2015
@@ -31,6 +31,12 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.8.13</b> (Tuesday, 31 March 2015): Bugfix/security release.
+ </li>
+ <li>
+ <b>Subversion 1.7.20</b> (Tuesday, 31 March 2015): Bugfix/security release.
+ </li>
+ <li>
<b>Subversion 1.8.11</b> (Monday, 15 December 2014): Bugfix/security release.
</li>
<li>
Modified: subversion/site/publish/download/download.cgi
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.cgi?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/download/download.cgi (original)
+++ subversion/site/publish/download/download.cgi Tue Mar 31 12:12:23 2015
@@ -1,4 +1,11 @@
#!/bin/sh
# Just call the standard mirrors.cgi script. It will use download.html
# as the input template.
+
+# Default to mirrors which are synced up to Subversion 1.8.13/1.7.20.
+# These releases had a less than 24h mirror update window.
+if [ -z "$QUERY_STRING" ]; then
+ export QUERY_STRING="update=201503310840"
+fi
+
exec /www/www.apache.org/dyn/mirrors/mirrors.cgi $*
Modified: subversion/site/publish/download/download.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/download/download.html?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/download/download.html (original)
+++ subversion/site/publish/download/download.html Tue Mar 31 12:12:23 2015
@@ -1,7 +1,7 @@
<h1>Download Source Code</h1>
-[define version]1.8.11[end]
-[define supported]1.7.19[end]
+[define version]1.8.13[end]
+[define supported]1.7.20[end]
[define prerelease]1.9.0-beta1[end]
<div class="bigpoint">
@@ -91,17 +91,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.bz2">subversion-[version].tar.bz2</a></td>
- <td class="checksum">161edaee328f4fdcfd2a7c10ecd3fbcd51c61275</td>
+ <td class="checksum">aa0bd14ac6a8f0fb178cc9ff325387de01cd7452</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].tar.gz">subversion-[version].tar.gz</a></td>
- <td class="checksum">2fe09670b21fcd7e083b10f088dedcd3252e8e16</td>
+ <td class="checksum">437cf662b7ed27d2254aa7ca334fdd74b49262ef </td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[version].zip">subversion-[version].zip</a></td>
- <td class="checksum">bb43d38c98d6c84197ec71d1bf4f03c6bf38d14c</td>
+ <td class="checksum">a8ac829dd0d575461424fbd2335820f9d094c379</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].zip.asc">PGP</a>]</td>
</tr>
</table>
@@ -129,17 +129,17 @@ Other mirrors:
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.bz2">subversion-[supported].tar.bz2</a></td>
- <td class="checksum">a662721a3a1da70c4b0732d0bde5008ce8873575</td>
+ <td class="checksum">f600c68010d2fd9a23fc8c6b659099aedac12900</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.bz2.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].tar.gz">subversion-[supported].tar.gz</a></td>
- <td class="checksum">bb3cd135bbd856e7f0f2d59313f075b9bbec9848</td>
+ <td class="checksum">675ac5a843e01dbb4a30d6333a809fd048c5ce0c</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].tar.gz.asc">PGP</a>]</td>
</tr>
<tr>
<td><a href="[preferred]subversion/subversion-[supported].zip">subversion-[supported].zip</a></td>
- <td class="checksum">3681b967d1c154b2aa4ccb63984d89aedafc488b</td>
+ <td class="checksum">e861f85e9df1b5aca903aa6eda15919c454cbda5</td>
<td>[<a href="https://www.apache.org/dist/subversion/subversion-[supported].zip.asc">PGP</a>]</td>
</tr>
</table>
Modified: subversion/site/publish/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/index.html (original)
+++ subversion/site/publish/index.html Tue Mar 31 12:12:23 2015
@@ -64,66 +64,65 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
-<div class="h3" id="news-20150318">
-<h3>2015-03-18 — Apache Subversion 1.9.0-beta1 Released
- <a class="sectionlink" href="#news-20150318"
+<div class="h3" id="news-20150331-1">
+<h3>2015-03-31 — Apache Subversion 1.8.13 Released
+ <a class="sectionlink" href="#news-20150331-1"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.9.0-beta1.
- This release is not intended for production use, but is provided as a
- milestone to encourage wider testing and feedback from intrepid users and
- maintainers.
- Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201503.mbox/%3C550A4939.7080905@apache.org%3E"
+<p>We are pleased to announce the release of Apache Subversion 1.8.13.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120220.GO17807%40jim.stsp.name%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.0-beta1/CHANGES"
- >change log</a> for more information about what will eventually be in the
- 1.9.0 release.</p>
-
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.13/CHANGES"
+ >change log</a> for more information about this release.</p>
+
<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#pre-releases">download page</a>.</p>
-
-</div> <!-- #news-20150318 -->
+ <a href="/download/#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20150331-1 -->
-<div class="h3" id="news-20141215-1">
-<h3>2014-12-15 — Apache Subversion 1.8.11 Released
- <a class="sectionlink" href="#news-20141215-1"
+<div class="h3" id="news-20150331-2">
+<h3>2015-03-31 — Apache Subversion 1.7.20 Released
+ <a class="sectionlink" href="#news-20150331-2"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.8.11.
+<p>We are pleased to announce the release of Apache Subversion 1.7.20.
This is the most complete Subversion release to date, and we encourage
users of Subversion to upgrade as soon as reasonable. Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E"
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120314.GP17807%40jim.stsp.name%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.11/CHANGES"
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.20/CHANGES"
>change log</a> for more information about this release.</p>
<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#recommended-release">download page</a>.</p>
+ <a href="/download/#supported-releases">download page</a>.</p>
-</div> <!-- #news-20141215-1 -->
+</div> <!-- #news-20150331-2 -->
-<div class="h3" id="news-20140815-2">
-<h3>2014-12-15 — Apache Subversion 1.7.19 Released
- <a class="sectionlink" href="#news-20141215-2"
+<div class="h3" id="news-20150318">
+<h3>2015-03-18 — Apache Subversion 1.9.0-beta1 Released
+ <a class="sectionlink" href="#news-20150318"
title="Link to this section">¶</a>
</h3>
-<p>We are pleased to announce the release of Apache Subversion 1.7.19.
- This is the most complete Subversion release in the 1.7 series to date,
- and we encourage users of Subversion to upgrade as soon as reasonable.
+<p>We are pleased to announce the release of Apache Subversion 1.9.0-beta1.
+ This release is not intended for production use, but is provided as a
+ milestone to encourage wider testing and feedback from intrepid users and
+ maintainers.
Please see the
- <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EEB.7030601@apache.org%3E"
+ <a href="https://mail-archives.apache.org/mod_mbox/subversion-dev/201503.mbox/%3C550A4939.7080905@apache.org%3E"
>release announcement</a> and the
- <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.19/CHANGES"
- >change log</a> for more information about this release.</p>
-
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.9.0-beta1/CHANGES"
+ >change log</a> for more information about what will eventually be in the
+ 1.9.0 release.</p>
+
<p>To get this release from the nearest mirror, please visit our
- <a href="/download/#supported-releases">download page</a>.</p>
-
-</div> <!-- #news-20141215-2 -->
+ <a href="/download/#pre-releases">download page</a>.</p>
+
+</div> <!-- #news-20150318 -->
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
Modified: subversion/site/publish/news.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/news.html?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/news.html (original)
+++ subversion/site/publish/news.html Tue Mar 31 12:12:23 2015
@@ -22,6 +22,44 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20150331-1">
+<h3>2015-03-31 — Apache Subversion 1.8.13 Released
+ <a class="sectionlink" href="#news-20150331-1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.8.13.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120220.GO17807%40jim.stsp.name%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.8.13/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20150331-1 -->
+
+<div class="h3" id="news-20150331-2">
+<h3>2015-03-31 — Apache Subversion 1.7.20 Released
+ <a class="sectionlink" href="#news-20150331-2"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.7.20.
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable. Please see the
+ <a href="http://mail-archives.apache.org/mod_mbox/subversion-announce/201503.mbox/%3C20150331120314.GP17807%40jim.stsp.name%3E"
+ >release announcement</a> and the
+ <a href="http://svn.apache.org/repos/asf/subversion/tags/1.7.20/CHANGES"
+ >change log</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download/#supported-releases">download page</a>.</p>
+
+</div> <!-- #news-20150331-2 -->
+
<div class="h3" id="news-20150318">
<h3>2015-03-18 — Apache Subversion 1.9.0-beta1 Released
<a class="sectionlink" href="#news-20150318"
Added: subversion/site/publish/security/CVE-2015-0202-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2015-0202-advisory.txt?rev=1670313&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2015-0202-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2015-0202-advisory.txt Tue Mar 31 12:12:23 2015
@@ -0,0 +1,572 @@
+ Subversion HTTP servers with FSFS repositories are vulnerable to a
+ remotely triggerable excessive memory use with certain REPORT requests.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn Apache HTTPD server module may use excessive
+ amounts of memory when processing REPORT requests that require traversing
+ through a large number of FSFS repository nodes (files and directories).
+
+ This can lead to a DoS. There are no known instances of this problem
+ being observed in the wild, but an exploit has been tested.
+
+Known vulnerable:
+=================
+
+ Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive)
+
+Known fixed:
+============
+
+ Subversion 1.8.13
+ svnserve (any version) is not vulnerable
+
+ Subversion 1.8.12 was not publicly released.
+
+Details:
+========
+
+ Subversion FSFS repositories cache different types of data for performance
+ reasons. An FSFS repository filesystem is structured as a direct acyclic
+ graph (DAG), and it has a special cache for the DAG nodes. Subversion 1.8.0
+ added an additional level of caching for the DAG nodes, and the excessive
+ memory use is a consequence of the cached nodes not being deallocated in
+ a timely manner.
+
+ HTTPD Server and Subversion use memory pools for allocations. Certain
+ REPORT requests can trigger a state when the cache keeps allocating new
+ elements from a pool, but the previously allocated elements are not being
+ deallocated. This memory will be reclaimed eventually (once the request
+ finishes or when the cache leaves the inappropriate state), but multiple
+ parallel requests might ultimately exhaust all the available memory on the
+ server.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 5.0
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
+
+ We consider this to be a medium risk vulnerability. Repositories which
+ allow for anonymous reads will be vulnerable without authentication.
+ Unfortunately, no special configuration is required and all mod_dav_svn
+ servers with FSFS repositories are vulnerable. Apache HTTPD servers that
+ block potentially expensive requests via mod_dontdothat module have a
+ smaller attack surface, but are still vulnerable.
+
+ Actual memory consumption (per request) depends on the layout and size
+ of the particular repository, but is potentially unbounded. The impact
+ of using this memory varies wildly based on operating system and httpd
+ configuration. Some operating systems may kill off processes or crash
+ if too much memory is used. The Apache HTTPD configuration option of
+ MaxRequestsPerChild may restart a process after a certain number of
+ requests and limit the impact of accidental exercise of this issue.
+ However, a determined attacker could repeat the requests and mitigate
+ any countermeasures.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.13. Users of
+ Subversion 1.8.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ There is no effective configuration that can mitigate the issue entirely
+ however the use of ulimit (or the equivalent) to set memory limits for
+ processes may help prevent the impact affecting other services running on
+ the same machine.
+
+References:
+===========
+
+ CVE-2015-0202 (Subversion)
+
+Reported by:
+============
+
+ Evgeny Kotkov, VisualSVN
+
+Patches:
+========
+
+ Patch against 1.8.11:
+[[[
+Index: subversion/libsvn_fs_fs/tree.c
+===================================================================
+--- subversion/libsvn_fs_fs/tree.c (revision 1655679)
++++ subversion/libsvn_fs_fs/tree.c (working copy)
+@@ -127,7 +127,6 @@ typedef struct fs_txn_root_data_t
+ static svn_error_t * get_dag(dag_node_t **dag_node_p,
+ svn_fs_root_t *root,
+ const char *path,
+- svn_boolean_t needs_lock_cache,
+ apr_pool_t *pool);
+
+ static svn_fs_root_t *make_revision_root(svn_fs_t *fs, svn_revnum_t rev,
+@@ -178,34 +177,10 @@ typedef struct cache_entry_t
+ */
+ enum { BUCKET_COUNT = 256 };
+
+-/* Each pool that has received a DAG node, will hold at least on lock on
+- our cache to ensure that the node remains valid despite being allocated
+- in the cache's pool. This is the structure to represent the lock.
+- */
+-typedef struct cache_lock_t
+-{
+- /* pool holding the lock */
+- apr_pool_t *pool;
+-
+- /* cache being locked */
+- fs_fs_dag_cache_t *cache;
+-
+- /* next lock. NULL at EOL */
+- struct cache_lock_t *next;
+-
+- /* previous lock. NULL at list head. Only then this==cache->first_lock */
+- struct cache_lock_t *prev;
+-} cache_lock_t;
+-
+ /* The actual cache structure. All nodes will be allocated in POOL.
+ When the number of INSERTIONS (i.e. objects created form that pool)
+ exceeds a certain threshold, the pool will be cleared and the cache
+ with it.
+-
+- To ensure that nodes returned from this structure remain valid, the
+- cache will get locked for the lifetime of the _receiving_ pools (i.e.
+- those in which we would allocate the node if there was no cache.).
+- The cache will only be cleared FIRST_LOCK is 0.
+ */
+ struct fs_fs_dag_cache_t
+ {
+@@ -221,47 +196,8 @@ struct fs_fs_dag_cache_t
+ /* Property lookups etc. have a very high locality (75% re-hit).
+ Thus, remember the last hit location for optimistic lookup. */
+ apr_size_t last_hit;
+-
+- /* List of receiving pools that are still alive. */
+- cache_lock_t *first_lock;
+ };
+
+-/* Cleanup function to be called when a receiving pool gets cleared.
+- Unlocks the cache once.
+- */
+-static apr_status_t
+-unlock_cache(void *baton_void)
+-{
+- cache_lock_t *lock = baton_void;
+-
+- /* remove lock from chain. Update the head */
+- if (lock->next)
+- lock->next->prev = lock->prev;
+- if (lock->prev)
+- lock->prev->next = lock->next;
+- else
+- lock->cache->first_lock = lock->next;
+-
+- return APR_SUCCESS;
+-}
+-
+-/* Cleanup function to be called when the cache itself gets destroyed.
+- In that case, we must unregister all unlock requests.
+- */
+-static apr_status_t
+-unregister_locks(void *baton_void)
+-{
+- fs_fs_dag_cache_t *cache = baton_void;
+- cache_lock_t *lock;
+-
+- for (lock = cache->first_lock; lock; lock = lock->next)
+- apr_pool_cleanup_kill(lock->pool,
+- lock,
+- unlock_cache);
+-
+- return APR_SUCCESS;
+-}
+-
+ fs_fs_dag_cache_t*
+ svn_fs_fs__create_dag_cache(apr_pool_t *pool)
+ {
+@@ -268,59 +204,15 @@ svn_fs_fs__create_dag_cache(apr_pool_t *pool)
+ fs_fs_dag_cache_t *result = apr_pcalloc(pool, sizeof(*result));
+ result->pool = svn_pool_create(pool);
+
+- apr_pool_cleanup_register(pool,
+- result,
+- unregister_locks,
+- apr_pool_cleanup_null);
+-
+ return result;
+ }
+
+-/* Prevent the entries in CACHE from being destroyed, for as long as the
+- POOL lives.
+- */
+-static void
+-lock_cache(fs_fs_dag_cache_t* cache, apr_pool_t *pool)
+-{
+- /* we only need to lock / unlock once per pool. Since we will often ask
+- for multiple nodes with the same pool, we can reduce the overhead.
+- However, if e.g. pools are being used in an alternating pattern,
+- we may lock the cache more than once for the same pool (and register
+- just as many cleanup actions).
+- */
+- cache_lock_t *lock = cache->first_lock;
+-
+- /* try to find an existing lock for POOL.
+- But limit the time spent on chasing pointers. */
+- int limiter = 8;
+- while (lock && --limiter)
+- if (lock->pool == pool)
+- return;
+-
+- /* create a new lock and put it at the beginning of the lock chain */
+- lock = apr_palloc(pool, sizeof(*lock));
+- lock->cache = cache;
+- lock->pool = pool;
+- lock->next = cache->first_lock;
+- lock->prev = NULL;
+-
+- if (cache->first_lock)
+- cache->first_lock->prev = lock;
+- cache->first_lock = lock;
+-
+- /* instruct POOL to remove the look upon cleanup */
+- apr_pool_cleanup_register(pool,
+- lock,
+- unlock_cache,
+- apr_pool_cleanup_null);
+-}
+-
+ /* Clears the CACHE at regular intervals (destroying all cached nodes)
+ */
+ static void
+ auto_clear_dag_cache(fs_fs_dag_cache_t* cache)
+ {
+- if (cache->first_lock == NULL && cache->insertions > BUCKET_COUNT)
++ if (cache->insertions > BUCKET_COUNT)
+ {
+ svn_pool_clear(cache->pool);
+
+@@ -433,18 +325,12 @@ locate_cache(svn_cache__t **cache,
+ }
+ }
+
+-/* Return NODE for PATH from ROOT's node cache, or NULL if the node
+- isn't cached; read it from the FS. *NODE remains valid until either
+- POOL or the FS gets cleared or destroyed (whichever comes first).
+-
+- Since locking can be expensive and POOL may be long-living, for
+- nodes that will not need to survive the next call to this function,
+- set NEEDS_LOCK_CACHE to FALSE. */
++/* Return NODE_P for PATH from ROOT's node cache, or NULL if the node
++ isn't cached; read it from the FS. *NODE_P is allocated in POOL. */
+ static svn_error_t *
+ dag_node_cache_get(dag_node_t **node_p,
+ svn_fs_root_t *root,
+ const char *path,
+- svn_boolean_t needs_lock_cache,
+ apr_pool_t *pool)
+ {
+ svn_boolean_t found;
+@@ -466,25 +352,23 @@ dag_node_cache_get(dag_node_t **node_p,
+ if (bucket->node == NULL)
+ {
+ locate_cache(&cache, &key, root, path, pool);
+- SVN_ERR(svn_cache__get((void **)&node, &found, cache, key,
+- ffd->dag_node_cache->pool));
++ SVN_ERR(svn_cache__get((void **)&node, &found, cache, key, pool));
+ if (found && node)
+ {
+ /* Patch up the FS, since this might have come from an old FS
+ * object. */
+ svn_fs_fs__dag_set_fs(node, root->fs);
+- bucket->node = node;
++
++ /* Retain the DAG node in L1 cache. */
++ bucket->node = svn_fs_fs__dag_dup(node,
++ ffd->dag_node_cache->pool);
+ }
+ }
+ else
+ {
+- node = bucket->node;
++ /* Copy the node from L1 cache into the passed-in POOL. */
++ node = svn_fs_fs__dag_dup(bucket->node, pool);
+ }
+-
+- /* if we found a node, make sure it remains valid at least as long
+- as it would when allocated in POOL. */
+- if (node && needs_lock_cache)
+- lock_cache(ffd->dag_node_cache, pool);
+ }
+ else
+ {
+@@ -822,7 +706,7 @@ get_copy_inheritance(copy_id_inherit_t *inherit_p,
+ SVN_ERR(svn_fs_fs__dag_get_copyroot(©root_rev, ©root_path,
+ child->node));
+ SVN_ERR(svn_fs_fs__revision_root(©root_root, fs, copyroot_rev, pool));
+- SVN_ERR(get_dag(©root_node, copyroot_root, copyroot_path, FALSE, pool));
++ SVN_ERR(get_dag(©root_node, copyroot_root, copyroot_path, pool));
+ copyroot_id = svn_fs_fs__dag_get_id(copyroot_node);
+
+ if (svn_fs_fs__id_compare(copyroot_id, child_id) == -1)
+@@ -938,7 +822,7 @@ open_path(parent_path_t **parent_path_p,
+ {
+ directory = svn_dirent_dirname(path, pool);
+ if (directory[1] != 0) /* root nodes are covered anyway */
+- SVN_ERR(dag_node_cache_get(&here, root, directory, TRUE, pool));
++ SVN_ERR(dag_node_cache_get(&here, root, directory, pool));
+ }
+
+ /* did the shortcut work? */
+@@ -998,8 +882,8 @@ open_path(parent_path_t **parent_path_p,
+ element if we already know the lookup to fail for the
+ complete path. */
+ if (next || !(flags & open_path_uncached))
+- SVN_ERR(dag_node_cache_get(&cached_node, root, path_so_far,
+- TRUE, pool));
++ SVN_ERR(dag_node_cache_get(&cached_node, root, path_so_far, pool));
++
+ if (cached_node)
+ child = cached_node;
+ else
+@@ -1136,8 +1020,7 @@ make_path_mutable(svn_fs_root_t *root,
+ parent_path->node));
+ SVN_ERR(svn_fs_fs__revision_root(©root_root, root->fs,
+ copyroot_rev, pool));
+- SVN_ERR(get_dag(©root_node, copyroot_root, copyroot_path,
+- FALSE, pool));
++ SVN_ERR(get_dag(©root_node, copyroot_root, copyroot_path, pool));
+
+ child_id = svn_fs_fs__dag_get_id(parent_path->node);
+ copyroot_id = svn_fs_fs__dag_get_id(copyroot_node);
+@@ -1174,16 +1057,11 @@ make_path_mutable(svn_fs_root_t *root,
+
+ /* Open the node identified by PATH in ROOT. Set DAG_NODE_P to the
+ node we find, allocated in POOL. Return the error
+- SVN_ERR_FS_NOT_FOUND if this node doesn't exist.
+-
+- Since locking can be expensive and POOL may be long-living, for
+- nodes that will not need to survive the next call to this function,
+- set NEEDS_LOCK_CACHE to FALSE. */
++ SVN_ERR_FS_NOT_FOUND if this node doesn't exist. */
+ static svn_error_t *
+ get_dag(dag_node_t **dag_node_p,
+ svn_fs_root_t *root,
+ const char *path,
+- svn_boolean_t needs_lock_cache,
+ apr_pool_t *pool)
+ {
+ parent_path_t *parent_path;
+@@ -1192,7 +1070,7 @@ get_dag(dag_node_t **dag_node_p,
+ /* First we look for the DAG in our cache
+ (if the path may be canonical). */
+ if (*path == '/')
+- SVN_ERR(dag_node_cache_get(&node, root, path, needs_lock_cache, pool));
++ SVN_ERR(dag_node_cache_get(&node, root, path, pool));
+
+ if (! node)
+ {
+@@ -1202,8 +1080,7 @@ get_dag(dag_node_t **dag_node_p,
+ path = svn_fs__canonicalize_abspath(path, pool);
+
+ /* Try again with the corrected path. */
+- SVN_ERR(dag_node_cache_get(&node, root, path, needs_lock_cache,
+- pool));
++ SVN_ERR(dag_node_cache_get(&node, root, path, pool));
+ }
+
+ if (! node)
+@@ -1281,7 +1158,7 @@ svn_fs_fs__node_id(const svn_fs_id_t **id_p,
+ {
+ dag_node_t *node;
+
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ *id_p = svn_fs_fs__id_copy(svn_fs_fs__dag_get_id(node), pool);
+ }
+ return SVN_NO_ERROR;
+@@ -1296,7 +1173,7 @@ svn_fs_fs__node_created_rev(svn_revnum_t *revision
+ {
+ dag_node_t *node;
+
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ return svn_fs_fs__dag_get_revision(revision, node, pool);
+ }
+
+@@ -1311,7 +1188,7 @@ fs_node_created_path(const char **created_path,
+ {
+ dag_node_t *node;
+
+- SVN_ERR(get_dag(&node, root, path, TRUE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ *created_path = svn_fs_fs__dag_get_created_path(node);
+
+ return SVN_NO_ERROR;
+@@ -1375,7 +1252,7 @@ fs_node_prop(svn_string_t **value_p,
+ dag_node_t *node;
+ apr_hash_t *proplist;
+
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ SVN_ERR(svn_fs_fs__dag_get_proplist(&proplist, node, pool));
+ *value_p = NULL;
+ if (proplist)
+@@ -1398,7 +1275,7 @@ fs_node_proplist(apr_hash_t **table_p,
+ apr_hash_t *table;
+ dag_node_t *node;
+
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ SVN_ERR(svn_fs_fs__dag_get_proplist(&table, node, pool));
+ *table_p = table ? table : apr_hash_make(pool);
+
+@@ -1515,8 +1392,8 @@ fs_props_changed(svn_boolean_t *changed_p,
+ (SVN_ERR_FS_GENERAL, NULL,
+ _("Cannot compare property value between two different filesystems"));
+
+- SVN_ERR(get_dag(&node1, root1, path1, TRUE, pool));
+- SVN_ERR(get_dag(&node2, root2, path2, TRUE, pool));
++ SVN_ERR(get_dag(&node1, root1, path1, pool));
++ SVN_ERR(get_dag(&node2, root2, path2, pool));
+ return svn_fs_fs__dag_things_different(changed_p, NULL,
+ node1, node2);
+ }
+@@ -1529,7 +1406,7 @@ fs_props_changed(svn_boolean_t *changed_p,
+ static svn_error_t *
+ get_root(dag_node_t **node, svn_fs_root_t *root, apr_pool_t *pool)
+ {
+- return get_dag(node, root, "/", TRUE, pool);
++ return get_dag(node, root, "/", pool);
+ }
+
+
+@@ -2193,7 +2070,7 @@ fs_dir_entries(apr_hash_t **table_p,
+ dag_node_t *node;
+
+ /* Get the entries for this path in the caller's pool. */
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ return svn_fs_fs__dag_dir_entries(table_p, node, pool);
+ }
+
+@@ -2365,7 +2242,7 @@ copy_helper(svn_fs_root_t *from_root,
+ _("Copy from mutable tree not currently supported"));
+
+ /* Get the NODE for FROM_PATH in FROM_ROOT.*/
+- SVN_ERR(get_dag(&from_node, from_root, from_path, TRUE, pool));
++ SVN_ERR(get_dag(&from_node, from_root, from_path, pool));
+
+ /* Build up the parent path from TO_PATH in TO_ROOT. If the last
+ component does not exist, it's not that big a deal. We'll just
+@@ -2442,7 +2319,7 @@ copy_helper(svn_fs_root_t *from_root,
+ pool));
+
+ /* Make a record of this modification in the changes table. */
+- SVN_ERR(get_dag(&new_node, to_root, to_path, TRUE, pool));
++ SVN_ERR(get_dag(&new_node, to_root, to_path, pool));
+ SVN_ERR(add_change(to_root->fs, txn_id, to_path,
+ svn_fs_fs__dag_get_id(new_node), kind, FALSE, FALSE,
+ svn_fs_fs__dag_node_kind(from_node),
+@@ -2553,7 +2430,7 @@ fs_copied_from(svn_revnum_t *rev_p,
+ {
+ /* There is no cached entry, look it up the old-fashioned
+ way. */
+- SVN_ERR(get_dag(&node, root, path, TRUE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+ SVN_ERR(svn_fs_fs__dag_get_copyfrom_rev(©from_rev, node));
+ SVN_ERR(svn_fs_fs__dag_get_copyfrom_path(©from_path, node));
+ }
+@@ -2628,7 +2505,7 @@ fs_file_length(svn_filesize_t *length_p,
+ dag_node_t *file;
+
+ /* First create a dag_node_t from the root/path pair. */
+- SVN_ERR(get_dag(&file, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&file, root, path, pool));
+
+ /* Now fetch its length */
+ return svn_fs_fs__dag_file_length(length_p, file, pool);
+@@ -2647,7 +2524,7 @@ fs_file_checksum(svn_checksum_t **checksum,
+ {
+ dag_node_t *file;
+
+- SVN_ERR(get_dag(&file, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&file, root, path, pool));
+ return svn_fs_fs__dag_file_checksum(checksum, file, kind, pool);
+ }
+
+@@ -2666,7 +2543,7 @@ fs_file_contents(svn_stream_t **contents,
+ svn_stream_t *file_stream;
+
+ /* First create a dag_node_t from the root/path pair. */
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+
+ /* Then create a readable stream from the dag_node_t. */
+ SVN_ERR(svn_fs_fs__dag_get_contents(&file_stream, node, pool));
+@@ -2689,7 +2566,7 @@ fs_try_process_file_contents(svn_boolean_t *succes
+ apr_pool_t *pool)
+ {
+ dag_node_t *node;
+- SVN_ERR(get_dag(&node, root, path, FALSE, pool));
++ SVN_ERR(get_dag(&node, root, path, pool));
+
+ return svn_fs_fs__dag_try_process_file_contents(success, node,
+ processor, baton, pool);
+@@ -3071,8 +2948,8 @@ fs_contents_changed(svn_boolean_t *changed_p,
+ (SVN_ERR_FS_GENERAL, NULL, _("'%s' is not a file"), path2);
+ }
+
+- SVN_ERR(get_dag(&node1, root1, path1, TRUE, pool));
+- SVN_ERR(get_dag(&node2, root2, path2, TRUE, pool));
++ SVN_ERR(get_dag(&node1, root1, path1, pool));
++ SVN_ERR(get_dag(&node2, root2, path2, pool));
+ return svn_fs_fs__dag_things_different(NULL, changed_p,
+ node1, node2);
+ }
+@@ -3092,10 +2969,10 @@ fs_get_file_delta_stream(svn_txdelta_stream_t **st
+ dag_node_t *source_node, *target_node;
+
+ if (source_root && source_path)
+- SVN_ERR(get_dag(&source_node, source_root, source_path, TRUE, pool));
++ SVN_ERR(get_dag(&source_node, source_root, source_path, pool));
+ else
+ source_node = NULL;
+- SVN_ERR(get_dag(&target_node, target_root, target_path, TRUE, pool));
++ SVN_ERR(get_dag(&target_node, target_root, target_path, pool));
+
+ /* Create a delta stream that turns the source into the target. */
+ return svn_fs_fs__dag_get_file_delta_stream(stream_p, source_node,
+@@ -3588,7 +3465,7 @@ history_prev(void *baton, apr_pool_t *pool)
+
+ SVN_ERR(svn_fs_fs__revision_root(©root_root, fs, copyroot_rev,
+ pool));
+- SVN_ERR(get_dag(&node, copyroot_root, copyroot_path, FALSE, pool));
++ SVN_ERR(get_dag(&node, copyroot_root, copyroot_path, pool));
+ copy_dst = svn_fs_fs__dag_get_created_path(node);
+
+ /* If our current path was the very destination of the copy,
+@@ -3785,7 +3662,7 @@ crawl_directory_dag_for_mergeinfo(svn_fs_root_t *r
+ svn_pool_clear(iterpool);
+
+ kid_path = svn_fspath__join(this_path, dirent->name, iterpool);
+- SVN_ERR(get_dag(&kid_dag, root, kid_path, TRUE, iterpool));
++ SVN_ERR(get_dag(&kid_dag, root, kid_path, iterpool));
+
+ SVN_ERR(svn_fs_fs__dag_has_mergeinfo(&has_mergeinfo, kid_dag));
+ SVN_ERR(svn_fs_fs__dag_has_descendants_with_mergeinfo(&go_down, kid_dag));
+@@ -4031,7 +3908,7 @@ add_descendant_mergeinfo(svn_mergeinfo_catalog_t r
+ dag_node_t *this_dag;
+ svn_boolean_t go_down;
+
+- SVN_ERR(get_dag(&this_dag, root, path, TRUE, scratch_pool));
++ SVN_ERR(get_dag(&this_dag, root, path, scratch_pool));
+ SVN_ERR(svn_fs_fs__dag_has_descendants_with_mergeinfo(&go_down,
+ this_dag));
+ if (go_down)
+]]]
Propchange: subversion/site/publish/security/CVE-2015-0202-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/site/publish/security/CVE-2015-0202-advisory.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: subversion/site/publish/security/CVE-2015-0248-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2015-0248-advisory.txt?rev=1670313&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2015-0248-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2015-0248-advisory.txt Tue Mar 31 12:12:23 2015
@@ -0,0 +1,319 @@
+ Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable
+ assertion DoS vulnerability for certain requests with dynamically evaluated
+ revision numbers.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn and svnserve servers will trigger an assertion
+ while processing some requests with special parameters, which are evaluated
+ on the server side. Assertion will cause svnserve process or the process
+ hosting mod_dav_svn module (Apache) to abort.
+
+ This can lead to a DoS. There are no known instances of this problem
+ being exploited in the wild, but an exploit has been tested.
+
+Known vulnerable:
+=================
+
+ Subversion servers 1.6.0 through 1.7.19 (inclusive)
+ Subversion servers 1.8.0 through 1.8.11 (inclusive)
+
+Known fixed:
+============
+
+ Subversion 1.7.20
+ Subversion 1.8.13
+
+ Subversion 1.8.12 was not publicly released.
+
+Details:
+========
+
+ Subversion's http:// and svn:// protocol support includes certain request
+ types with parameters, which are evaluated on the server side. As an
+ example, sometimes clients need to trace the history of the object to its
+ origin, while not knowing the exact value of the origin (revision number)
+ prior to issuing the request.
+
+ Certain parameter combinations can exploit this behavior and force a server
+ into attempting an operation with invalid arguments. Subversion servers
+ guard against these situations with assertion statements, and the default
+ behavior for a failed assertion is to abort the current process.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 5.0
+ CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
+
+ We consider this to be a medium risk vulnerability.
+
+ Apache HTTPD servers with repositories that allow anonymous reads will be
+ vulnerable without authentication. Many Apache servers will respawn the
+ listener processes, but a determined attacker will be able to crash these
+ processes as they appear, denying service to legitimate users. Servers
+ using threaded MPMs will close the connection on other clients being
+ served by the same process that services the request from the attacker.
+ In either case there is an increased processing impact of restarting a
+ process and the cost of per process caches being lost.
+
+ Exploiting this behavior against svnserve does not require an attacker to
+ authenticate. A remote attacker can cause svnserve process to terminate
+ and thus deny service to users of the server.
+
+ Unfortunately, no special configuration is required and all mod_dav_svn
+ and svnserve servers are vulnerable.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.13. Users of
+ Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No known workarounds are available.
+
+References:
+===========
+
+ CVE-2015-0248 (Subversion)
+
+Reported by:
+============
+
+ Evgeny Kotkov, VisualSVN
+
+Patches:
+========
+
+ Patch against 1.7.19:
+[[[
+Index: subversion/mod_dav_svn/reports/get-location-segments.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1658197)
++++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy)
+@@ -181,17 +181,36 @@ dav_svn__get_location_segments_report(const dav_re
+ "Not all parameters passed.",
+ SVN_DAV_ERROR_NAMESPACE,
+ SVN_DAV_ERROR_TAG);
+- if (SVN_IS_VALID_REVNUM(start_rev)
+- && SVN_IS_VALID_REVNUM(end_rev)
+- && (end_rev > start_rev))
++
++ /* No START_REV or PEG_REVISION? We'll use HEAD. */
++ if (!SVN_IS_VALID_REVNUM(start_rev) || !SVN_IS_VALID_REVNUM(peg_revision))
++ {
++ svn_revnum_t youngest;
++
++ serr = svn_fs_youngest_rev(&youngest, resource->info->repos->fs,
++ resource->pool);
++ if (serr != NULL)
++ return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
++ "Could not determine youngest revision",
++ resource->pool);
++
++ if (!SVN_IS_VALID_REVNUM(start_rev))
++ start_rev = youngest;
++ if (!SVN_IS_VALID_REVNUM(peg_revision))
++ peg_revision = youngest;
++ }
++
++ /* No END_REV? We'll use 0. */
++ if (!SVN_IS_VALID_REVNUM(end_rev))
++ end_rev = 0;
++
++ if (end_rev > start_rev)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+ "End revision must not be younger than "
+ "start revision",
+ SVN_DAV_ERROR_NAMESPACE,
+ SVN_DAV_ERROR_TAG);
+- if (SVN_IS_VALID_REVNUM(peg_revision)
+- && SVN_IS_VALID_REVNUM(start_rev)
+- && (start_rev > peg_revision))
++ if (start_rev > peg_revision)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+ "Start revision must not be younger than "
+ "peg revision",
+Index: subversion/svnserve/serve.c
+===================================================================
+--- subversion/svnserve/serve.c (revision 1658197)
++++ subversion/svnserve/serve.c (working copy)
+@@ -2266,10 +2266,31 @@ static svn_error_t *get_location_segments(svn_ra_s
+
+ abs_path = svn_fspath__join(b->fs_path->data, relative_path, pool);
+
+- if (SVN_IS_VALID_REVNUM(start_rev)
+- && SVN_IS_VALID_REVNUM(end_rev)
+- && (end_rev > start_rev))
++ SVN_ERR(trivial_auth_request(conn, pool, b));
++ SVN_ERR(log_command(baton, conn, pool, "%s",
++ svn_log__get_location_segments(abs_path, peg_revision,
++ start_rev, end_rev,
++ pool)));
++
++ /* No START_REV or PEG_REVISION? We'll use HEAD. */
++ if (!SVN_IS_VALID_REVNUM(start_rev) || !SVN_IS_VALID_REVNUM(peg_revision))
+ {
++ svn_revnum_t youngest;
++
++ SVN_CMD_ERR(svn_fs_youngest_rev(&youngest, b->fs, pool));
++
++ if (!SVN_IS_VALID_REVNUM(start_rev))
++ start_rev = youngest;
++ if (!SVN_IS_VALID_REVNUM(peg_revision))
++ peg_revision = youngest;
++ }
++
++ /* No END_REV? We'll use 0. */
++ if (!SVN_IS_VALID_REVNUM(end_rev))
++ end_rev = 0;
++
++ if (end_rev > start_rev)
++ {
+ err = svn_error_createf(SVN_ERR_INCORRECT_PARAMS, NULL,
+ "Get-location-segments end revision must not be "
+ "younger than start revision");
+@@ -2276,9 +2297,7 @@ static svn_error_t *get_location_segments(svn_ra_s
+ return log_fail_and_flush(err, b, conn, pool);
+ }
+
+- if (SVN_IS_VALID_REVNUM(peg_revision)
+- && SVN_IS_VALID_REVNUM(start_rev)
+- && (start_rev > peg_revision))
++ if (start_rev > peg_revision)
+ {
+ err = svn_error_createf(SVN_ERR_INCORRECT_PARAMS, NULL,
+ "Get-location-segments start revision must not "
+@@ -2286,12 +2305,6 @@ static svn_error_t *get_location_segments(svn_ra_s
+ return log_fail_and_flush(err, b, conn, pool);
+ }
+
+- SVN_ERR(trivial_auth_request(conn, pool, b));
+- SVN_ERR(log_command(baton, conn, pool, "%s",
+- svn_log__get_location_segments(abs_path, peg_revision,
+- start_rev, end_rev,
+- pool)));
+-
+ /* All the parameters are fine - let's perform the query against the
+ * repository. */
+
+]]]
+
+ Patch against 1.8.11:
+[[[
+Index: subversion/mod_dav_svn/reports/get-location-segments.c
+===================================================================
+--- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1658197)
++++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy)
+@@ -181,17 +181,36 @@ dav_svn__get_location_segments_report(const dav_re
+ "Not all parameters passed.",
+ SVN_DAV_ERROR_NAMESPACE,
+ SVN_DAV_ERROR_TAG);
+- if (SVN_IS_VALID_REVNUM(start_rev)
+- && SVN_IS_VALID_REVNUM(end_rev)
+- && (end_rev > start_rev))
++
++ /* No START_REV or PEG_REVISION? We'll use HEAD. */
++ if (!SVN_IS_VALID_REVNUM(start_rev) || !SVN_IS_VALID_REVNUM(peg_revision))
++ {
++ svn_revnum_t youngest;
++
++ serr = svn_fs_youngest_rev(&youngest, resource->info->repos->fs,
++ resource->pool);
++ if (serr != NULL)
++ return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
++ "Could not determine youngest revision",
++ resource->pool);
++
++ if (!SVN_IS_VALID_REVNUM(start_rev))
++ start_rev = youngest;
++ if (!SVN_IS_VALID_REVNUM(peg_revision))
++ peg_revision = youngest;
++ }
++
++ /* No END_REV? We'll use 0. */
++ if (!SVN_IS_VALID_REVNUM(end_rev))
++ end_rev = 0;
++
++ if (end_rev > start_rev)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+ "End revision must not be younger than "
+ "start revision",
+ SVN_DAV_ERROR_NAMESPACE,
+ SVN_DAV_ERROR_TAG);
+- if (SVN_IS_VALID_REVNUM(peg_revision)
+- && SVN_IS_VALID_REVNUM(start_rev)
+- && (start_rev > peg_revision))
++ if (start_rev > peg_revision)
+ return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+ "Start revision must not be younger than "
+ "peg revision",
+Index: subversion/svnserve/serve.c
+===================================================================
+--- subversion/svnserve/serve.c (revision 1658197)
++++ subversion/svnserve/serve.c (working copy)
+@@ -2468,10 +2468,31 @@ static svn_error_t *get_location_segments(svn_ra_s
+
+ abs_path = svn_fspath__join(b->fs_path->data, relative_path, pool);
+
+- if (SVN_IS_VALID_REVNUM(start_rev)
+- && SVN_IS_VALID_REVNUM(end_rev)
+- && (end_rev > start_rev))
++ SVN_ERR(trivial_auth_request(conn, pool, b));
++ SVN_ERR(log_command(baton, conn, pool, "%s",
++ svn_log__get_location_segments(abs_path, peg_revision,
++ start_rev, end_rev,
++ pool)));
++
++ /* No START_REV or PEG_REVISION? We'll use HEAD. */
++ if (!SVN_IS_VALID_REVNUM(start_rev) || !SVN_IS_VALID_REVNUM(peg_revision))
+ {
++ svn_revnum_t youngest;
++
++ SVN_CMD_ERR(svn_fs_youngest_rev(&youngest, b->fs, pool));
++
++ if (!SVN_IS_VALID_REVNUM(start_rev))
++ start_rev = youngest;
++ if (!SVN_IS_VALID_REVNUM(peg_revision))
++ peg_revision = youngest;
++ }
++
++ /* No END_REV? We'll use 0. */
++ if (!SVN_IS_VALID_REVNUM(end_rev))
++ end_rev = 0;
++
++ if (end_rev > start_rev)
++ {
+ err = svn_error_createf(SVN_ERR_INCORRECT_PARAMS, NULL,
+ "Get-location-segments end revision must not be "
+ "younger than start revision");
+@@ -2478,9 +2499,7 @@ static svn_error_t *get_location_segments(svn_ra_s
+ return log_fail_and_flush(err, b, conn, pool);
+ }
+
+- if (SVN_IS_VALID_REVNUM(peg_revision)
+- && SVN_IS_VALID_REVNUM(start_rev)
+- && (start_rev > peg_revision))
++ if (start_rev > peg_revision)
+ {
+ err = svn_error_createf(SVN_ERR_INCORRECT_PARAMS, NULL,
+ "Get-location-segments start revision must not "
+@@ -2488,12 +2507,6 @@ static svn_error_t *get_location_segments(svn_ra_s
+ return log_fail_and_flush(err, b, conn, pool);
+ }
+
+- SVN_ERR(trivial_auth_request(conn, pool, b));
+- SVN_ERR(log_command(baton, conn, pool, "%s",
+- svn_log__get_location_segments(abs_path, peg_revision,
+- start_rev, end_rev,
+- pool)));
+-
+ /* All the parameters are fine - let's perform the query against the
+ * repository. */
+
+]]]
Propchange: subversion/site/publish/security/CVE-2015-0248-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/site/publish/security/CVE-2015-0248-advisory.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: subversion/site/publish/security/CVE-2015-0251-advisory.txt
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/CVE-2015-0251-advisory.txt?rev=1670313&view=auto
==============================================================================
--- subversion/site/publish/security/CVE-2015-0251-advisory.txt (added)
+++ subversion/site/publish/security/CVE-2015-0251-advisory.txt Tue Mar 31 12:12:23 2015
@@ -0,0 +1,239 @@
+ Subversion HTTP servers allow spoofing svn:author property values
+ for new revisions.
+
+Summary:
+========
+
+ Subversion's mod_dav_svn server allows setting arbitrary svn:author
+ property values when committing new revisions. This can be accomplished
+ using a specially crafted sequence of requests. An evil-doer can fake
+ svn:author values on his commits. However, as authorization rules are
+ applied to the evil-doer's true username, forged svn:author values can
+ only happen on commits that touch the paths the evil-doer has write
+ access to.
+
+ Doing so does not grant any additional access and does not circumvent the
+ standard Apache authentication or authorization mechanisms. Still, an
+ ability to spoof svn:author property values can impact data integrity in
+ environments that rely on these values.
+
+ There are no known instances of the problem being exploited in the wild,
+ but an exploit has been tested.
+
+Known vulnerable:
+=================
+
+ Subversion HTTPD servers 1.5.0 through 1.7.19 (inclusive)
+ Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive)
+
+Known fixed:
+============
+
+ Subversion 1.7.20
+ Subversion 1.8.13
+ svnserve (any version) is not vulnerable
+
+ Subversion 1.8.12 was not publicly released.
+
+Details:
+========
+
+ The Subversion http://-based protocol used for communicating with
+ a Subversion mod_dav_svn server has two versions, v1 and v2. The v2
+ protocol was added in Subversion 1.7.0, but the server allows using both
+ protocol versions for compatibility reasons. When a commit happens, the
+ client sends a sequence of requests (POST, PUT, MERGE, etc.) that depend
+ on the negotiated protocol version.
+
+ Usually, a server uses the name of the authenticated user as the svn:author
+ value for a new revision. However, with a specially handcrafted v1 request
+ sequence, a client can instruct the server to use the svn:author property
+ that she/he provided. In this case, the server will use an arbitrary value
+ coming from the client instead of the svn:author value originating from
+ the authentication mechanism.
+
+Severity:
+=========
+
+ CVSSv2 Base Score: 3.5
+ CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
+
+ We consider this to be a medium risk vulnerability.
+
+ An attacker needs to have commit access to the repository to exploit the
+ vulnerability. The ability to spoof svn:author property values can impact
+ data integrity in environments that expect the values to denote the actual
+ commit author. The real ID of the author could still be determined using
+ server access logs. However, it is also possible that a spoofed change
+ could go in unnoticed.
+
+ Subversion's repository hooks might see the real ID of the author or the
+ forged value, depending on the hook type and the hook contents:
+
+ - A start-commit hook will see the real username in the USER argument
+ - A start-commit hook will see the real username when performing
+ 'svnlook propget --revprop -t TXN_NAME'
+ - A pre-commit hook will see the forged username when performing
+ 'svnlook propget --revprop -t TXN_NAME'
+ - A post-commit hook will see the forged username when performing
+ 'svnlook propget --revprop -r REV'
+
+ Unfortunately, no special configuration is required and all mod_dav_svn
+ servers are vulnerable.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to Subversion 1.8.13. Users of
+ Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
+ included patch.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ No workaround is available.
+
+References:
+===========
+
+ CVE-2015-0251 (Subversion)
+
+Reported by:
+============
+
+ Ivan Zhakov, VisualSVN
+
+Patches:
+========
+
+ Patch against 1.7.19:
+[[[
+Index: subversion/mod_dav_svn/deadprops.c
+===================================================================
+--- subversion/mod_dav_svn/deadprops.c (revision 1660122)
++++ subversion/mod_dav_svn/deadprops.c (working copy)
+@@ -160,6 +160,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
+ }
+
+
++static svn_error_t *
++change_txn_prop(svn_fs_txn_t *txn,
++ const char *propname,
++ const svn_string_t *value,
++ apr_pool_t *scratch_pool)
++{
++ if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
++ return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
++ "Attempted to modify 'svn:author' property "
++ "on a transaction");
++
++ SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
++
++ return SVN_NO_ERROR;
++}
++
++
+ static dav_error *
+ save_value(dav_db *db, const dav_prop_name *name,
+ const svn_string_t *const *old_value_p,
+@@ -210,9 +227,8 @@ save_value(dav_db *db, const dav_prop_name *name,
+ {
+ if (db->resource->working)
+ {
+- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
+- propname, value,
+- subpool);
++ serr = change_txn_prop(resource->info->root.txn, propname,
++ value, subpool);
+ }
+ else
+ {
+@@ -251,8 +267,8 @@ save_value(dav_db *db, const dav_prop_name *name,
+ }
+ else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
+ {
+- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
+- propname, value, subpool);
++ serr = change_txn_prop(resource->info->root.txn, propname,
++ value, subpool);
+ }
+ else
+ {
+@@ -561,8 +577,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
+ /* Working Baseline or Working (Version) Resource */
+ if (db->resource->baselined)
+ if (db->resource->working)
+- serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
+- propname, NULL, subpool);
++ serr = change_txn_prop(db->resource->info->root.txn, propname,
++ NULL, subpool);
+ else
+ /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
+ not a working resource! But this is how we currently
+]]]
+
+ Patch against 1.8.11:
+[[[
+Index: subversion/mod_dav_svn/deadprops.c
+===================================================================
+--- subversion/mod_dav_svn/deadprops.c (revision 1660122)
++++ subversion/mod_dav_svn/deadprops.c (working copy)
+@@ -163,6 +163,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
+ }
+
+
++static svn_error_t *
++change_txn_prop(svn_fs_txn_t *txn,
++ const char *propname,
++ const svn_string_t *value,
++ apr_pool_t *scratch_pool)
++{
++ if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
++ return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
++ "Attempted to modify 'svn:author' property "
++ "on a transaction");
++
++ SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
++
++ return SVN_NO_ERROR;
++}
++
++
+ static dav_error *
+ save_value(dav_db *db, const dav_prop_name *name,
+ const svn_string_t *const *old_value_p,
+@@ -213,9 +230,8 @@ save_value(dav_db *db, const dav_prop_name *name,
+ {
+ if (resource->working)
+ {
+- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
+- propname, value,
+- subpool);
++ serr = change_txn_prop(resource->info->root.txn, propname,
++ value, subpool);
+ }
+ else
+ {
+@@ -254,8 +270,8 @@ save_value(dav_db *db, const dav_prop_name *name,
+ }
+ else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
+ {
+- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
+- propname, value, subpool);
++ serr = change_txn_prop(resource->info->root.txn, propname,
++ value, subpool);
+ }
+ else
+ {
+@@ -560,8 +576,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
+ /* Working Baseline or Working (Version) Resource */
+ if (db->resource->baselined)
+ if (db->resource->working)
+- serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
+- propname, NULL, subpool);
++ serr = change_txn_prop(db->resource->info->root.txn, propname,
++ NULL, subpool);
+ else
+ /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
+ not a working resource! But this is how we currently
+]]]
Propchange: subversion/site/publish/security/CVE-2015-0251-advisory.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/site/publish/security/CVE-2015-0251-advisory.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=1670313&r1=1670312&r2=1670313&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Tue Mar 31 12:12:23 2015
@@ -215,6 +215,24 @@ Subversion project.</p>
<td>1.7.0-1.7.18 and 1.8.0-1.8.10</td>
<td>mod_dav_svn DoS vulnerability with invalid virtual transaction names</td>
</tr>
+<tr>
+<td><a href="CVE-2015-0202-advisory.txt">CVE-2015-0202-advisory.txt</a></td>
+<td>1.8.0-1.8.11</td>
+<td>Subversion HTTP servers with FSFS repositories are vulnerable to a
+remotely triggerable excessive memory use with certain REPORT requests</td>
+</tr>
+<tr>
+<td><a href="CVE-2015-0248-advisory.txt">CVE-2015-0248-advisory.txt</a></td>
+<td>1.6.0-1.7.19 and 1.8.0-1.8.11</td>
+<td>Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable
+assertion DoS vulnerability for certain requests with dynamically evaluated
+revision numbers</td>
+</tr>
+<tr>
+<td><a href="CVE-2015-0251-advisory.txt">CVE-2015-0251-advisory.txt</a></td>
+<td>1.5.0-1.7.19 and 1.8.0-1.8.11</td>
+<td>Subversion HTTP servers allow spoofing svn:author property values for new revisions</td>
+</tr>
</tbody>
</table>