Subject: CVS commit: pkgsrc/devel
From: Benny Siegert
Date: 2022-04-12 18:24:29
Message id: 20220412162429.381E0FB24@cvs.NetBSD.org

Log Message:
subversion: update to 1.4.2 (security).

HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

CVE-2021-28544
"SVN authz protected copyfrom paths regression"

The full security advisory for CVE-2021-28544 is available at:
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

A brief summary of this advisory follows:

   Subversion servers reveal 'copyfrom' paths that should be hidden according to
   configured path-based authorization (authz) rules.  When a node has been
   copied from a protected location, users with access to the copy can see the
   `copyfrom' path of the original.  This also reveals the fact that
   the node was copied.
   Only the 'copyfrom' path is revealed; not its contents. Both httpd
   and svnserve
   servers are vulnerable.

   We recommend all users to upgrade to a known fixed release of the
   Subversion server.

   This issue was reported by Evgeny Kotkov

CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"

The full security advisory for CVE-2022-24070 is available at:
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

A brief summary of this advisory follows:

   While looking up path-based authorization rules, mod_dav_svn servers
   may attempt to use memory which has already been freed.

   We recommend all users to upgrade to a known fixed release of the
   Subversion server.

   This issue was reported by Thomas WeiƟschuh

Files:
RevisionActionfile
1.62modifypkgsrc/devel/java-subversion/Makefile
1.122modifypkgsrc/devel/p5-subversion/Makefile
1.95modifypkgsrc/devel/py-subversion/Makefile
1.84modifypkgsrc/devel/ruby-subversion/Makefile
1.88modifypkgsrc/devel/subversion/Makefile.version
1.119modifypkgsrc/devel/subversion/distinfo
1.130modifypkgsrc/devel/subversion-base/Makefile