To interested persons: Apache Subversion uses the Apache Portable Runtime (APR) to provide platform-specific and other utility services. APR announced the availability of APR 1.4.4, which addresses CVE-2011-0419, a potential unconstrained recursion bug in the apr_fnmatch(). An attacker could potentially exploit this issue to cause the target machine to exhaust stack memory or use excessive CPU. Prior to Subversion 1.6.16, Subversion used the compromised function on untrusted data in mod_dav_svn, exposing it to this flaw.
In Subversion 1.6.16, mod_dav_svn was changed to avoid the use of apr_fnmatch(), eliminating this attack vector for Subversion. Thus, Subversion systems are only vulnerable if they are running *both* APR < 1.4.4 and Subversion < 1.6.16. It is recommended that users upgrade one or both of these components as soon as is convenient. To read more about the APR 1.4.4 release, see http://www.apache.org/dist/apr/Announcement1.x.html - The Subversion Team