2022-04-12 18:24:29 by Benny Siegert | Files touched by this commit (7) | |
Log message:
subversion: update to 1.4.2 (security).
HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:
CVE-2021-28544
"SVN authz protected copyfrom paths regression"
The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc
A brief summary of this advisory follows:
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Evgeny Kotkov
CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"
The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc
A brief summary of this advisory follows:
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Thomas Weißschuh
|
2021-10-26 12:20:11 by Nia Alarie | Files touched by this commit (3016) |
Log message:
archivers: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Could not be committed due to merge conflict:
devel/py-traitlets/distinfo
The following distfiles were unfetchable (note: some may be only fetched
conditionally):
./devel/pvs/distinfo pvs-3.2-solaris.tgz
./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip
|
2021-10-07 15:44:44 by Nia Alarie | Files touched by this commit (3017) |
Log message:
devel: Remove SHA1 hashes for distfiles
|
2021-07-21 16:40:32 by Takahiro Kambe | Files touched by this commit (29) |
Log message:
Bump PKGREVISION for affected packages by changing default Ruby's version.
|
2021-05-24 21:56:06 by Thomas Klausner | Files touched by this commit (3575) |
Log message:
*: recursive bump for perl 5.34
|
2021-02-14 16:09:20 by Adam Ciarcinski | Files touched by this commit (9) | |
Log message:
subversion: updated to 1.14.1
Subversion 1.14.1.
This is a stable bugfix and security release of the Apache Subversion
open source version control system.
THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
CVE-2020-17525
"Remote unauthenticated denial-of-service in Subversion mod_authz_svn"
The full security advisory for CVE-2020-17525 is available at:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
A brief summary of this advisory follows:
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option and a client sends a request for a non-existing repository URL.
This can lead to disruption for users of the service.
We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
of the Subversion mod_dav_svn server.
As a workaround, the use of in-repository authz rules files with
the AuthzSVNReposRelativeAccessFile can be avoided by switching
to an alternative configuration which fetches an authz rules file
from the server's filesystem, rather than from an SVN repository.
|
2020-07-27 22:48:53 by Adam Ciarcinski | Files touched by this commit (10) | |
Log message:
subversion: updated to 1.14.0
What's New in Apache Subversion 1.14
Support for Python 3.x
Support for Python 2.7 is being phased out
New Build-Time Dependency: py3c
Many enhancements and bug fixes
|
2020-03-14 15:13:02 by Tobias Nygren | Files touched by this commit (1) |
Log message:
subversion: skip portability checks for unused files
|
2020-02-24 17:10:34 by Adam Ciarcinski | Files touched by this commit (11) | |
Log message:
subversion: updated to 1.13.0
Version 1.13.0
User-visible changes:
- Minor new features and improvements:
* New 'svnadmin rev-size' command to report revision size
* In 'svn help', hide experimental commands and global options
* Add a hint about mod_dav_svn misconfiguration
* Performance improvement for 'svn st' etc., in WC SQLite DB
- Client-side bugfixes:
* Windows: avoid delays in SSL certificate validation override
* Fix 'svn patch' setting mode 0600 on patched files with props
* Fix "svn diff --changelist ARG" broken in subdirectories
* Fix misleading 'redirect cycle' error on a non-repository URL
- Server-side bugfixes:
* svnserve: Report some errors that we previously ignored
* Make server code more resilient to malformed paths and URLs
* Make dump stream parser more resilient to malformed dump stream
* mod_dav_svn: Fix missing Last-Modified header on 'external' GET requests
- Client-side and server-side bugfixes:
* Fix excessive memory usage in some cases reading binary data
* Win32: fix svn_io_file_rename2() spinning in a retry loop
- Other tool improvements and bugfixes:
* svn_load_dirs.pl: do not show password; fix cleanup
Developer-visible changes:
* New svn_fs_ioctl() API for FSFS stats, dump/load index, rev-size
Version 1.12.2
User-visible changes:
* Fix conflict resolver bug: local and incoming edits swapped.
* Fix memory lifetime problem in a libsvn_wc error code path.
* Faster Windows file existence checks, improving 'svn st' etc.
Developer-visible changes:
* Allow generating Visual Studio 2019 projects
* Fix build with APR 1.7.0.
* Fix building Subversion with Visual Studio 2005 and 2008.
* Allow svnserve's 'get-deleted-rev' API to return 'not deleted'.
Version 1.12.1
(Not released; see changes for 1.12.2.)
|
2020-01-19 00:36:14 by Roland Illig | Files touched by this commit (3046) |
Log message:
all: migrate several HOMEPAGEs to https
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
|