Navigation:
Browse pkgsrc
(this page) 2022-04-16 10:40:45 by S.P.Zeidler | Files touched by this commit (8) |  |
Log message:
Pullup ticket #6613 - requested by bsiegert
devel/java-subversion: security update
devel/p5-subversion: security update
devel/py-subversion: security update
devel/ruby-subversion: security update
devel/subversion-base: security update
devel/subversion: security update
Revisions pulled up:
- devel/java-subversion/Makefile 1.62
- devel/p5-subversion/Makefile 1.122
- devel/py-subversion/Makefile 1.95
- devel/ruby-subversion/Makefile 1.84
- devel/subversion-base/Makefile 1.130
- devel/subversion/Makefile 1.68
- devel/subversion/Makefile.version 1.88
- devel/subversion/distinfo 1.119
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Apr 12 16:24:29 UTC 2022
Modified Files:
pkgsrc/devel/java-subversion: Makefile
pkgsrc/devel/p5-subversion: Makefile
pkgsrc/devel/py-subversion: Makefile
pkgsrc/devel/ruby-subversion: Makefile
pkgsrc/devel/subversion: Makefile.version distinfo
pkgsrc/devel/subversion-base: Makefile
Log message:
subversion: update to 1.4.2 (security).
HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:
CVE-2021-28544
"SVN authz protected copyfrom paths regression"
The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc
A brief summary of this advisory follows:
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Evgeny Kotkov
CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"
The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc
A brief summary of this advisory follows:
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Thomas Weißschuh
To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 pkgsrc/devel/java-subversion/Makefile
cvs rdiff -u -r1.121 -r1.122 pkgsrc/devel/p5-subversion/Makefile
cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/py-subversion/Makefile
cvs rdiff -u -r1.83 -r1.84 pkgsrc/devel/ruby-subversion/Makefile
cvs rdiff -u -r1.87 -r1.88 pkgsrc/devel/subversion/Makefile.version
cvs rdiff -u -r1.118 -r1.119 pkgsrc/devel/subversion/distinfo
cvs rdiff -u -r1.129 -r1.130 pkgsrc/devel/subversion-base/Makefile
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Tue Apr 12 21:40:36 UTC 2022
Modified Files:
pkgsrc/devel/subversion: Makefile
Log message:
subversion: reset PKGREVISION after update
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 pkgsrc/devel/subversion/Makefile
|
New packages: