OpenPKG-SA-2004.023-subversion.tx...

Ralf S. Engelschall Wed, 19 May 2004 14:16:59 -0700

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   19-May-2004 21:46:16
  Branch: HEAD                             Handle: 2004051920461500

  Added files:
    openpkg-web/security    OpenPKG-SA-2004.023-subversion.txt

  Log:
    initial SA for Subversion

  Summary:
    Revision    Changes     Path
    1.1         +71 -0      openpkg-web/security/OpenPKG-SA-2004.023-subversion.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2004.023-subversion.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.023-subversion.txt
  --- /dev/null 2004-05-19 21:46:16.000000000 +0200
  +++ OpenPKG-SA-2004.023-subversion.txt        2004-05-19 21:46:16.000000000 +0200
  @@ -0,0 +1,71 @@
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2004.023                                          19-May-2004
  +________________________________________________________________________
  +
  +Package:             subversion
  +Vulnerability:       remote code execution
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:           Corrected Packages:
  +OpenPKG CURRENT      <= subversion-1.0.2-20040518 >= subversion-1.0.3-20040519
  +OpenPKG 2.0          <= subversion-1.0.0-2.0.1    >= subversion-1.0.0-2.0.2
  +OpenPKG 1.3          N.A.                         N.A.
  +
  +Dependent Packages:  none
  +
  +Description:
  +  Stefan Esser discovered [1] a remote vulnerability in the Subversion
  +  [0] version control system. Subversion versions up to 1.0.2 are
  +  vulnerable to a date parsing vulnerability which can be abused to
  +  allow remote code execution on Subversion servers and therefore
  +  could lead to a repository compromise. The Common Vulnerabilities
  +  and Exposures (CVE) project assigned the id CAN-2004-0397 [2] to the
  +  problem.
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm -q
  +  subversion". If you have the "subversion" package installed and its
  +  version is affected (see above), we recommend that you immediately
  +  upgrade it (see Solution). [3][4]
  +
  +Solution:
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
  +  verify its integrity [7], build a corresponding binary RPM from it
  +  [3] and update your OpenPKG installation by applying the binary RPM
  +  [4]. For the most recent release OpenPKG 2.0, perform the following
  +  operations to permanently fix the security problem (for other releases
  +  adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/2.0/UPD
  +  ftp> get subversion-1.0.0-2.0.2.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/openpkg rpm -v --checksig subversion-1.0.0-2.0.2.src.rpm
  +  $ <prefix>/bin/openpkg rpm --rebuild subversion-1.0.0-2.0.2.src.rpm
  +  $ su -
  +  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/subversion-1.0.0-2.0.2.*.rpm
  +________________________________________________________________________
  +
  +References:
  +  [0] http://subversion.tigris.org/
  +  [1] http://security.e-matters.de/advisories/082004.html
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0397
  +  [3] http://www.openpkg.org/tutorial.html#regular-source
  +  [4] http://www.openpkg.org/tutorial.html#regular-binary
  +  [5] ftp://ftp.openpkg.org/release/2.0/UPD/subversion-1.0.0-2.0.2.src.rpm
  +  [6] ftp://ftp.openpkg.org/release/2.0/UPD/
  +  [7] http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2004.023-subversion.tx...

Reply via email to