From owner-svn-ports-head@FreeBSD.ORG Sat Apr 6 10:00:30 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 79760ADC; Sat, 6 Apr 2013 10:00:30 +0000 (UTC) (envelope-from ohauer@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 5BD46803; Sat, 6 Apr 2013 10:00:30 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r36A0UBK039922; Sat, 6 Apr 2013 10:00:30 GMT (envelope-from ohauer@svn.freebsd.org) Received: (from ohauer@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r36A0Sep039916; Sat, 6 Apr 2013 10:00:28 GMT (envelope-from ohauer@svn.freebsd.org) Message-Id: <201304061000.r36A0Sep039916@svn.freebsd.org> From: Olli Hauer Date: Sat, 6 Apr 2013 10:00:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r315739 - in head: devel/subversion devel/subversion16 security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Apr 2013 10:00:30 -0000 Author: ohauer Date: Sat Apr 6 10:00:28 2013 New Revision: 315739 URL: http://svnweb.freebsd.org/changeset/ports/315739 Log: - Subversion 1.7.9 security update [1] - Subversion 1.6.21 security update [2] This release addesses the following issues security issues: [1][2] CVE-2013-1845: mod_dav_svn excessive memory usage from property changes [1][2] CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs [1][2] CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs [1][2] CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs [1] CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request More information on these vulnerabilities, including the relevent advisories and potential attack vectors and workarounds, can be found on the Subversion security website: http://subversion.apache.org/security/ PR: 177646 Submitted by: ohauer Approved by: portmgr (tabthorpe, erwin), lev Security: b6beb137-9dc0-11e2-882f-20cf30e32f6d Modified: head/devel/subversion/Makefile.common head/devel/subversion/distinfo head/devel/subversion16/Makefile.common head/devel/subversion16/Makefile.inc head/devel/subversion16/distinfo head/security/vuxml/vuln.xml Modified: head/devel/subversion/Makefile.common ============================================================================== --- head/devel/subversion/Makefile.common Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion/Makefile.common Sat Apr 6 10:00:28 2013 (r315739) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= subversion -PORTVERSION= 1.7.8 +PORTVERSION= 1.7.9 PORTREVISION?= 0 CATEGORIES+= devel MASTER_SITES= ${MASTER_SITE_APACHE:S/$/:main/} \ Modified: head/devel/subversion/distinfo ============================================================================== --- head/devel/subversion/distinfo Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion/distinfo Sat Apr 6 10:00:28 2013 (r315739) @@ -1,5 +1,5 @@ -SHA256 (subversion17/subversion-1.7.8.tar.bz2) = fc83d4d98ccea8b7bfa8f5c20fff545c8baa7d035db930977550c51c6ca23686 -SIZE (subversion17/subversion-1.7.8.tar.bz2) = 6023912 +SHA256 (subversion17/subversion-1.7.9.tar.bz2) = f8454c585f99afed764232a5048d9b8bfd0a25a9ab8e339ea69fe1204c453ef4 +SIZE (subversion17/subversion-1.7.9.tar.bz2) = 6040347 SHA256 (subversion17/svn-book-html-r4304.tar.bz2) = a63d958b1ae70daf2ac93a53ece70a0ba0f8f7de7af3f74a665fe44b8f50ca14 SIZE (subversion17/svn-book-html-r4304.tar.bz2) = 467806 SHA256 (subversion17/svn-book-r4304.pdf) = 1b2cada79db8268fd6cd55fac4e5ee04c1e2977bbc587fa1098bd3613b9689b2 Modified: head/devel/subversion16/Makefile.common ============================================================================== --- head/devel/subversion16/Makefile.common Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/Makefile.common Sat Apr 6 10:00:28 2013 (r315739) @@ -120,6 +120,7 @@ LIB_DEPENDS+= serf-1:${PORTSDIR}/www/ser CONFIGURE_ARGS+=--with-serf=${LOCALBASE} PLIST_SUB+= SERF="" .else +CONFIGURE_ARGS+=--without-serf PLIST_SUB+= SERF="@comment " .endif Modified: head/devel/subversion16/Makefile.inc ============================================================================== --- head/devel/subversion16/Makefile.inc Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/Makefile.inc Sat Apr 6 10:00:28 2013 (r315739) @@ -1,4 +1,4 @@ # $FreeBSD$ # this keeps subversion16 and ../svnmerge in sync, see pr 164854 -PORTVERSION= 1.6.20 +PORTVERSION= 1.6.21 Modified: head/devel/subversion16/distinfo ============================================================================== --- head/devel/subversion16/distinfo Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/distinfo Sat Apr 6 10:00:28 2013 (r315739) @@ -1,5 +1,5 @@ -SHA256 (subversion/subversion-1.6.20.tar.bz2) = 9ca903186bacb7c005806b1202c3fe7622e3d36d4f85859ae3edc06afdbb619b -SIZE (subversion/subversion-1.6.20.tar.bz2) = 5572244 +SHA256 (subversion/subversion-1.6.21.tar.bz2) = efece333259a8cc37bc1af7210f2587cccd8dd484700458d324bfe3247875cd6 +SIZE (subversion/subversion-1.6.21.tar.bz2) = 5564522 SHA256 (subversion/svn-book-html.tar.bz2) = 5c4788e1f225b3186db5979b071fcc4c9543bfb5916cd62e003eea4507b8c8cb SIZE (subversion/svn-book-html.tar.bz2) = 406484 SHA256 (subversion/svn-book.pdf) = 64e483cd27be6752eb8dfc1b00749f8dc46adfc4fb1ab1356dd8e2406d878225 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Apr 6 02:38:59 2013 (r315738) +++ head/security/vuxml/vuln.xml Sat Apr 6 10:00:28 2013 (r315739) @@ -51,6 +51,54 @@ Note: Please add new entries to the beg --> + + Subversion -- multiple vulnerabilities + + + subversion + 1.7.9 + 1.6.21 + + + + +

Subversion team reports:

+
+

Subversion's mod_dav_svn Apache HTTPD server module will use excessive + amounts of memory when a large number of properties are set or deleted + on a node.

+
+
+

Subversion's mod_dav_svn Apache HTTPD server module will crash when + a LOCK request is made against activity URLs.

+
+
+

Subversion's mod_dav_svn Apache HTTPD server module will crash in some + circumstances when a LOCK request is made against a non-existent URL.

+
+
+

Subversion's mod_dav_svn Apache HTTPD server module will crash when a + PROPFIND request is made against activity URLs.

+
+
+

Subversion's mod_dav_svn Apache HTTPD server module will crash when a + log REPORT request receives a limit that is out of the allowed range.

+
+ + + + CVE-2013-1845 + CVE-2013-1846 + CVE-2013-1847 + CVE-2013-1849 + CVE-2013-1884 + + + 2013-04-05 + 2013-04-05 + + + otrs -- Information disclosure and Data manipulation @@ -63,10 +111,10 @@ Note: Please add new entries to the beg

The OTRS Project reports:

-

An attacker with a valid agent login could manipulate URLs in the -object linking mechanism to see titles of tickets and other objects that are not -obliged to be seen. Furthermore, links to objects without permission can be -placed and removed.

+

An attacker with a valid agent login could manipulate URLs in the + object linking mechanism to see titles of tickets and other objects + that are not obliged to be seen. Furthermore, links to objects without + permission can be placed and removed.

@@ -17163,7 +17211,7 @@ executed in your Internet Explorer while -

Subversion tram reports:

+

Subversion team reports:

Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV