Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 6 Apr 2013 10:10:01 GMT
From:      dfilter@FreeBSD.ORG (dfilter service)
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   Re: ports/177646: commit references a PR
Message-ID:  <201304061010.r36AA1EY057154@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/177646; it has been noted by GNATS.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/177646: commit references a PR
Date: Sat,  6 Apr 2013 10:00:43 +0000 (UTC)

 Author: ohauer
 Date: Sat Apr  6 10:00:28 2013
 New Revision: 315739
 URL: http://svnweb.freebsd.org/changeset/ports/315739
 
 Log:
   - Subversion 1.7.9 security update [1]
   - Subversion 1.6.21 security update [2]
   
   This release addesses the following issues security issues:
   [1][2]  CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
   [1][2]  CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
   [1][2]  CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs
   [1][2]  CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs
   [1]     CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request
   
   More information on these vulnerabilities, including the relevent advisories
   and potential attack vectors and workarounds, can be found on the Subversion
   security website:
       http://subversion.apache.org/security/
   
   PR:		177646
   Submitted by:	ohauer
   Approved by:	portmgr (tabthorpe, erwin), lev
   Security:	b6beb137-9dc0-11e2-882f-20cf30e32f6d
 
 Modified:
   head/devel/subversion/Makefile.common
   head/devel/subversion/distinfo
   head/devel/subversion16/Makefile.common
   head/devel/subversion16/Makefile.inc
   head/devel/subversion16/distinfo
   head/security/vuxml/vuln.xml
 
 Modified: head/devel/subversion/Makefile.common
 ==============================================================================
 --- head/devel/subversion/Makefile.common	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/devel/subversion/Makefile.common	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -2,7 +2,7 @@
  # $FreeBSD$
  
  PORTNAME=	subversion
 -PORTVERSION=	1.7.8
 +PORTVERSION=	1.7.9
  PORTREVISION?=	0
  CATEGORIES+=	devel
  MASTER_SITES=	${MASTER_SITE_APACHE:S/$/:main/} \
 
 Modified: head/devel/subversion/distinfo
 ==============================================================================
 --- head/devel/subversion/distinfo	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/devel/subversion/distinfo	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -1,5 +1,5 @@
 -SHA256 (subversion17/subversion-1.7.8.tar.bz2) = fc83d4d98ccea8b7bfa8f5c20fff545c8baa7d035db930977550c51c6ca23686
 -SIZE (subversion17/subversion-1.7.8.tar.bz2) = 6023912
 +SHA256 (subversion17/subversion-1.7.9.tar.bz2) = f8454c585f99afed764232a5048d9b8bfd0a25a9ab8e339ea69fe1204c453ef4
 +SIZE (subversion17/subversion-1.7.9.tar.bz2) = 6040347
  SHA256 (subversion17/svn-book-html-r4304.tar.bz2) = a63d958b1ae70daf2ac93a53ece70a0ba0f8f7de7af3f74a665fe44b8f50ca14
  SIZE (subversion17/svn-book-html-r4304.tar.bz2) = 467806
  SHA256 (subversion17/svn-book-r4304.pdf) = 1b2cada79db8268fd6cd55fac4e5ee04c1e2977bbc587fa1098bd3613b9689b2
 
 Modified: head/devel/subversion16/Makefile.common
 ==============================================================================
 --- head/devel/subversion16/Makefile.common	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/devel/subversion16/Makefile.common	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -120,6 +120,7 @@ LIB_DEPENDS+=	serf-1:${PORTSDIR}/www/ser
  CONFIGURE_ARGS+=--with-serf=${LOCALBASE}
  PLIST_SUB+=	SERF=""
  .else
 +CONFIGURE_ARGS+=--without-serf
  PLIST_SUB+=	SERF="@comment "
  .endif
  
 
 Modified: head/devel/subversion16/Makefile.inc
 ==============================================================================
 --- head/devel/subversion16/Makefile.inc	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/devel/subversion16/Makefile.inc	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -1,4 +1,4 @@
  # $FreeBSD$
  # this keeps subversion16 and ../svnmerge in sync, see pr 164854
  
 -PORTVERSION=	1.6.20
 +PORTVERSION=	1.6.21
 
 Modified: head/devel/subversion16/distinfo
 ==============================================================================
 --- head/devel/subversion16/distinfo	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/devel/subversion16/distinfo	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -1,5 +1,5 @@
 -SHA256 (subversion/subversion-1.6.20.tar.bz2) = 9ca903186bacb7c005806b1202c3fe7622e3d36d4f85859ae3edc06afdbb619b
 -SIZE (subversion/subversion-1.6.20.tar.bz2) = 5572244
 +SHA256 (subversion/subversion-1.6.21.tar.bz2) = efece333259a8cc37bc1af7210f2587cccd8dd484700458d324bfe3247875cd6
 +SIZE (subversion/subversion-1.6.21.tar.bz2) = 5564522
  SHA256 (subversion/svn-book-html.tar.bz2) = 5c4788e1f225b3186db5979b071fcc4c9543bfb5916cd62e003eea4507b8c8cb
  SIZE (subversion/svn-book-html.tar.bz2) = 406484
  SHA256 (subversion/svn-book.pdf) = 64e483cd27be6752eb8dfc1b00749f8dc46adfc4fb1ab1356dd8e2406d878225
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Sat Apr  6 02:38:59 2013	(r315738)
 +++ head/security/vuxml/vuln.xml	Sat Apr  6 10:00:28 2013	(r315739)
 @@ -51,6 +51,54 @@ Note:  Please add new entries to the beg
  
  -->
  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
 +  <vuln vid="b6beb137-9dc0-11e2-882f-20cf30e32f6d">
 +    <topic>Subversion -- multiple vulnerabilities</topic>
 +    <affects>
 +      <package>
 +	<name>subversion</name>
 +	<range><lt>1.7.9</lt></range>
 +	<range><lt>1.6.21</lt></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">;
 +	<p>Subversion team reports:</p>
 +	  <blockquote cite="http://subversion.apache.org/security/CVE-2013-1845-advisory.txt">;
 +	    <p>Subversion's mod_dav_svn Apache HTTPD server module will use excessive
 +	      amounts of memory when a large number of properties are set or deleted
 +	      on a node.</p>
 +	</blockquote>
 +	  <blockquote cite="http://subversion.apache.org/security/CVE-2013-1846-advisory.txt">;
 +	    <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when
 +	      a LOCK request is made against activity URLs.</p>
 +	</blockquote>
 +	<blockquote cite="http://subversion.apache.org/security/CVE-2013-1847-advisory.txt">;
 +	    <p>Subversion's mod_dav_svn Apache HTTPD server module will crash in some
 +	      circumstances when a LOCK request is made against a non-existent URL.</p>
 +	</blockquote>
 +	<blockquote cite="http://subversion.apache.org/security/CVE-2013-1849-advisory.txt">;
 +	  <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
 +	    PROPFIND request is made against activity URLs.</p>
 +	</blockquote>
 +	<blockquote cite="http://subversion.apache.org/security/CVE-2013-1884-advisory.txt">;
 +	  <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
 +	    log REPORT request receives a limit that is out of the allowed range.</p>
 +	</blockquote>
 +      </body>
 +    </description>
 +    <references>
 +      <cvename>CVE-2013-1845</cvename>
 +      <cvename>CVE-2013-1846</cvename>
 +      <cvename>CVE-2013-1847</cvename>
 +      <cvename>CVE-2013-1849</cvename>
 +      <cvename>CVE-2013-1884</cvename>
 +    </references>
 +    <dates>
 +      <discovery>2013-04-05</discovery>
 +      <entry>2013-04-05</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="eae8e3cf-9dfe-11e2-ac7f-001fd056c417">
      <topic>otrs -- Information disclosure and Data manipulation</topic>
      <affects>
 @@ -63,10 +111,10 @@ Note:  Please add new entries to the beg
        <body xmlns="http://www.w3.org/1999/xhtml">;
  	<p>The OTRS Project reports:</p>
  	<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/">;
 -	  <p>An attacker with a valid agent login could manipulate URLs in the
 -object linking mechanism to see titles of tickets and other objects that are not
 -obliged to be seen. Furthermore, links to objects without permission can be
 -placed and removed.</p>
 +		<p>An attacker with a valid agent login could manipulate URLs in the
 +		  object linking mechanism to see titles of tickets and other objects
 +		  that are not obliged to be seen. Furthermore, links to objects without
 +		  permission can be placed and removed.</p>
  	</blockquote>
        </body>
      </description>
 @@ -17163,7 +17211,7 @@ executed in your Internet Explorer while
      </affects>
      <description>
        <body xmlns="http://www.w3.org/1999/xhtml">;
 -	<p>Subversion tram reports:</p>
 +	<p>Subversion team reports:</p>
  	<blockquote cite="http://subversion.apache.org/security/CVE-2011-1752-advisory.txt">;
  	  <p>Subversion's mod_dav_svn Apache HTTPD server module will
  	    dereference a NULL pointer if asked to deliver baselined WebDAV
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304061010.r36AA1EY057154>