Hello community, here is the log from the commit of package subversion for openSUSE:11.3 checked in at Tue Jun 7 14:18:04 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/subversion/subversion.changes 2011-01-19 14:19:10.000000000 +0100 +++ /mounts/work_src_done/11.3/subversion/subversion.changes 2011-06-07 12:06:13.636573759 +0200 @@ -1,0 +2,14 @@ +Tue Jun 7 11:00:15 CEST 2011 - [email protected] + +- possibly remotely triggerable subversion deref (bnc#676949): + * CVE-2011-0715 +- fix multiple security issues (bnc#698205): + * CVE-2011-1752, CVE-2011-1921, CVE-2011-1783 +- fix misleading text in /etc/sysconfig/svnserve + +------------------------------------------------------------------- +Thu Apr 21 15:57:51 CEST 2011 - [email protected] + +- Use getent to check for existance of user and group (bnc#688968). + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- CVE-2011-0715.txt CVE-2011-1752.diff CVE-2011-1921-and-CVE-2011-1783.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ subversion.spec ++++++ --- /var/tmp/diff_new_pack.uNBPg8/_old 2011-06-07 14:16:47.000000000 +0200 +++ /var/tmp/diff_new_pack.uNBPg8/_new 2011-06-07 14:16:47.000000000 +0200 @@ -42,7 +42,7 @@ Name: subversion Version: 1.6.9 -Release: 4.<RELEASE5> +Release: 4.<RELEASE7> # in-tree SWIG version to use for the build: %define swig_version 1.3.36 %define sqlite_version 3.6.17 @@ -162,6 +162,9 @@ Patch38: CVE-2010-4539.diff Patch39: CVE-2010-4644.diff Patch40: fix-abort-on-blame.diff +Patch41: CVE-2011-0715.txt +Patch42: CVE-2011-1752.diff +Patch43: CVE-2011-1921-and-CVE-2011-1783.diff # %if %with_ruby %if %{!?rb_arch:1}0 @@ -354,6 +357,9 @@ %patch38 %patch39 %patch40 +%patch41 +%patch42 +%patch43 %build # This package failed when testing with -Wl,-as-needed being default. ++++++ CVE-2011-0715.txt ++++++ --- subversion/mod_dav_svn/version.c +++ subversion/mod_dav_svn/version.c @@ -1172,11 +1172,13 @@ dav_svn__push_locks(dav_resource *resource, svn_error_t *serr; serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); - if (serr) + if (serr || !fsaccess) { /* If an authenticated user name was attached to the request, then dav_svn_get_resource() should have already noticed and created an fs_access_t in the filesystem. */ + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " "missing an user name", HTTP_BAD_REQUEST, resource->info->r); ++++++ CVE-2011-1752.diff ++++++ --- subversion/mod_dav_svn/repos.c +++ subversion/mod_dav_svn/repos.c @@ -2843,10 +2843,11 @@ deliver(const dav_resource *resource, ap apr_status_t status; /* Check resource type */ - if (resource->type != DAV_RESOURCE_TYPE_REGULAR - && resource->type != DAV_RESOURCE_TYPE_VERSION - && resource->type != DAV_RESOURCE_TYPE_WORKING - && resource->info->restype != DAV_SVN_RESTYPE_PARENTPATH_COLLECTION) + if (resource->baselined + || (resource->type != DAV_RESOURCE_TYPE_REGULAR + && resource->type != DAV_RESOURCE_TYPE_VERSION + && resource->type != DAV_RESOURCE_TYPE_WORKING + && resource->info->restype != DAV_SVN_RESTYPE_PARENTPATH_COLLECTION)) { return dav_new_error(resource->pool, HTTP_CONFLICT, 0, "Cannot GET this type of resource."); Eigenschaftsänderungen: . ___________________________________________________________________ Geändert: svn:mergeinfo Zusammengeführt /subversion/trunk:r1098608 ++++++ CVE-2011-1921-and-CVE-2011-1783.diff ++++++ --- subversion/libsvn_repos/authz.c +++ subversion/libsvn_repos/authz.c @@ -746,6 +746,9 @@ return SVN_NO_ERROR; } + /* Sanity check. */ + SVN_ERR_ASSERT(path[0] == '/'); + /* Determine the granted access for the requested path. */ while (!authz_get_path_access(authz->cfg, repos_name, current_path, user, --- subversion/mod_dav_svn/authz.c +++ subversion/mod_dav_svn/authz.c @@ -51,6 +51,11 @@ return TRUE; } + /* Sometimes we get paths that do not start with '/' and + hence below uri concatenation would lead to wrong uris .*/ + if (path && path[0] != '/') + path = apr_pstrcat(pool, "/", path, NULL); + /* If bypass is specified and authz has exported the provider. Otherwise, we fall through to the full version. This should be safer than allowing or disallowing all accesses if there is a ++++++ subversion.rcsvnserve ++++++ --- /var/tmp/diff_new_pack.uNBPg8/_old 2011-06-07 14:16:47.000000000 +0200 +++ /var/tmp/diff_new_pack.uNBPg8/_new 2011-06-07 14:16:47.000000000 +0200 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (c) 1995-2002 SuSE Linux AG, Nuernberg, Germany. +# Copyright (c) 1995-2011 SuSE Linux AG, Nuernberg, Germany. # All rights reserved. # # /etc/init.d/svnserve @@ -96,9 +96,25 @@ echo -n "Starting svnserve " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. - startproc -u "$SVNSERVE_USERID" -g "$SVNSERVE_GROUPID" -e $SVNSERVE_BIN $SVNSERVE_OPTIONS + UID_ENT="$(/usr/bin/getent passwd $SVNSERVE_USERID)" + GID_ENT="$(/usr/bin/getent group $SVNSERVE_GROUPID)" - # Remember status and be verbose + if test -z "$SVNSERVE_USERID" -o -z "$UID_ENT" + then + echo + echo "User $SVNSERVE_USERID does not exist." + echo "Please check $SVNSERVE_CONFIG before starting this service." + rc_failed + elif test -z "$SVNSERVE_GROUPID" -o -z "$GID_ENT" + then + echo + echo "Group $SVNSERVE_GROUPID does not exist." + echo "Please check $SVNSERVE_CONFIG before starting this service." + rc_failed + else + startproc -u "$SVNSERVE_USERID" -g "$SVNSERVE_GROUPID" -e $SVNSERVE_BIN $SVNSERVE_OPTIONS + fi + # Remember status and be verbose rc_status -v ;; stop) ++++++ subversion.sysconfig.svnserve ++++++ --- /var/tmp/diff_new_pack.uNBPg8/_old 2011-06-07 14:16:47.000000000 +0200 +++ /var/tmp/diff_new_pack.uNBPg8/_new 2011-06-07 14:16:47.000000000 +0200 @@ -4,27 +4,28 @@ ## Type: string ## Default "-d -R -r /srv/svn/repos" # -# default options for the svnserve process -# it is recommended to provide only readonly access to your data. -# there is no authentication possible, everyone can read and write at will -# read the subversion documentation about more info +# Default options for the svnserve process. +# The -R option enforces read-only access, i.e. write operations to the +# repository (such as commits) will not be allowed. +# Authentication should be configured before allowing write access. +# See http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth # SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos" ## Type: string ## Default "svn" # -# svnserve should run as unprivileged user -# the userid/groupid svn is not created during package install -# run 'useradd -d /srv/svn -s /bin/false svn ; groupadd svn' to create the userid/groupid +# svnserve should run as unprivileged user. +# The userid/groupid svn is not created during package install. +# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid. # SVNSERVE_USERID="svn" ## Type: string ## Default "svn" # -# svnserve should run as unprivileged user -# the userid/groupid svn is not created during package install -# run 'useradd -d /srv/svn -s /bin/false svn ; groupadd svn' to create the userid/groupid +# svnserve should run as unprivileged user. +# The userid/groupid svn is not created during package install. +# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid. # SVNSERVE_GROUPID="svn" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
