Next | Query returned 216 messages, browsing 11 to 20 | Previous

History of commit frequency

CVS Commit History:


   2022-04-12 18:24:29 by Benny Siegert | Files touched by this commit (7) | Package updated
Log message:
subversion: update to 1.4.2 (security).

HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

CVE-2021-28544
"SVN authz protected copyfrom paths regression"

The full security advisory for CVE-2021-28544 is available at:
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

A brief summary of this advisory follows:

   Subversion servers reveal 'copyfrom' paths that should be hidden according to
   configured path-based authorization (authz) rules.  When a node has been
   copied from a protected location, users with access to the copy can see the
   `copyfrom' path of the original.  This also reveals the fact that
   the node was copied.
   Only the 'copyfrom' path is revealed; not its contents. Both httpd
   and svnserve
   servers are vulnerable.

   We recommend all users to upgrade to a known fixed release of the
   Subversion server.

   This issue was reported by Evgeny Kotkov

CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"

The full security advisory for CVE-2022-24070 is available at:
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

A brief summary of this advisory follows:

   While looking up path-based authorization rules, mod_dav_svn servers
   may attempt to use memory which has already been freed.

   We recommend all users to upgrade to a known fixed release of the
   Subversion server.

   This issue was reported by Thomas Weißschuh
   2021-10-26 12:20:11 by Nia Alarie | Files touched by this commit (3016)
Log message:
archivers: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Could not be committed due to merge conflict:
devel/py-traitlets/distinfo

The following distfiles were unfetchable (note: some may be only fetched
conditionally):

./devel/pvs/distinfo pvs-3.2-solaris.tgz
./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip
   2021-10-07 15:44:44 by Nia Alarie | Files touched by this commit (3017)
Log message:
devel: Remove SHA1 hashes for distfiles
   2021-07-21 16:40:32 by Takahiro Kambe | Files touched by this commit (29)
Log message:
Bump PKGREVISION for affected packages by changing default Ruby's version.
   2021-05-24 21:56:06 by Thomas Klausner | Files touched by this commit (3575)
Log message:
*: recursive bump for perl 5.34
   2021-02-14 16:09:20 by Adam Ciarcinski | Files touched by this commit (9) | Package updated
Log message:
subversion: updated to 1.14.1

Subversion 1.14.1.

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

  CVE-2020-17525
  "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The full security advisory for CVE-2020-17525 is available at:
  https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

A brief summary of this advisory follows:

  Subversion's mod_authz_svn module will crash if the server is using
  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
  option and a client sends a request for a non-existing repository URL.

  This can lead to disruption for users of the service.

  We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
  of the Subversion mod_dav_svn server.

  As a workaround, the use of in-repository authz rules files with
  the AuthzSVNReposRelativeAccessFile can be avoided by switching
  to an alternative configuration which fetches an authz rules file
  from the server's filesystem, rather than from an SVN repository.
   2020-07-27 22:48:53 by Adam Ciarcinski | Files touched by this commit (10) | Package updated
Log message:
subversion: updated to 1.14.0

What's New in Apache Subversion 1.14

Support for Python 3.x
Support for Python 2.7 is being phased out
New Build-Time Dependency: py3c
Many enhancements and bug fixes
   2020-03-14 15:13:02 by Tobias Nygren | Files touched by this commit (1)
Log message:
subversion: skip portability checks for unused files
   2020-02-24 17:10:34 by Adam Ciarcinski | Files touched by this commit (11) | Package updated
Log message:
subversion: updated to 1.13.0

Version 1.13.0

User-visible changes:
- Minor new features and improvements:
  * New 'svnadmin rev-size' command to report revision size
  * In 'svn help', hide experimental commands and global options
  * Add a hint about mod_dav_svn misconfiguration
  * Performance improvement for 'svn st' etc., in WC SQLite DB

- Client-side bugfixes:
  * Windows: avoid delays in SSL certificate validation override
  * Fix 'svn patch' setting mode 0600 on patched files with props
  * Fix "svn diff --changelist ARG" broken in subdirectories
  * Fix misleading 'redirect cycle' error on a non-repository URL

- Server-side bugfixes:
  * svnserve: Report some errors that we previously ignored
  * Make server code more resilient to malformed paths and URLs
  * Make dump stream parser more resilient to malformed dump stream
  * mod_dav_svn: Fix missing Last-Modified header on 'external' GET requests

- Client-side and server-side bugfixes:
  * Fix excessive memory usage in some cases reading binary data
  * Win32: fix svn_io_file_rename2() spinning in a retry loop

- Other tool improvements and bugfixes:
  * svn_load_dirs.pl: do not show password; fix cleanup

Developer-visible changes:
  * New svn_fs_ioctl() API for FSFS stats, dump/load index, rev-size

Version 1.12.2

User-visible changes:
  * Fix conflict resolver bug: local and incoming edits swapped.
  * Fix memory lifetime problem in a libsvn_wc error code path.
  * Faster Windows file existence checks, improving 'svn st' etc.

Developer-visible changes:
  * Allow generating Visual Studio 2019 projects
  * Fix build with APR 1.7.0.
  * Fix building Subversion with Visual Studio 2005 and 2008.
  * Allow svnserve's 'get-deleted-rev' API to return 'not deleted'.

Version 1.12.1
(Not released; see changes for 1.12.2.)
   2020-01-19 00:36:14 by Roland Illig | Files touched by this commit (3046)
Log message:
all: migrate several HOMEPAGEs to https

pkglint --only "https instead of http" -r -F

With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.

This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.

Next | Query returned 216 messages, browsing 11 to 20 | Previous