Subject: CVS commit: pkgsrc
From: Adam Ciarcinski
Date: 2021-02-14 16:09:20
Message id: 20210214150920.59E87FA95@cvs.NetBSD.org

Log Message:
subversion: updated to 1.14.1

Subversion 1.14.1.

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

  CVE-2020-17525
  "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The full security advisory for CVE-2020-17525 is available at:
  https://subversion.apache.org/security/ … visory.txt

A brief summary of this advisory follows:

  Subversion's mod_authz_svn module will crash if the server is using
  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
  option and a client sends a request for a non-existing repository URL.

  This can lead to disruption for users of the service.

  We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
  of the Subversion mod_dav_svn server.

  As a workaround, the use of in-repository authz rules files with
  the AuthzSVNReposRelativeAccessFile can be avoided by switching
  to an alternative configuration which fetches an authz rules file
  from the server's filesystem, rather than from an SVN repository.

Files:
RevisionActionfile
1.95modifypkgsrc/www/ap2-subversion/Makefile
1.39modifypkgsrc/devel/subversion/files/build-outputs.mk
1.126modifypkgsrc/devel/subversion-base/Makefile
1.116modifypkgsrc/devel/subversion/distinfo
1.87modifypkgsrc/devel/subversion/Makefile.version
1.80modifypkgsrc/devel/ruby-subversion/Makefile
1.91modifypkgsrc/devel/py-subversion/Makefile
1.118modifypkgsrc/devel/p5-subversion/Makefile
1.58modifypkgsrc/devel/java-subversion/Makefile