#20777 closed enhancement (fixed)
subversion-1.14.5
| Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (8)
follow-up: 2 comment:1 by , 4 months ago
follow-up: 3 comment:2 by , 4 months ago
Replying to Rahul Chandra:
Maybe slate this for archival? Might be too premature but svn seems to be an end package and almost no open source projects use it anymore (Arch was the last one I knew about)
I have mixed feelings about this. I agree that very few projects use it. We used it for over a decade but finally switched to git. OTOH, it does not update often and it is relatively easy to do.
comment:3 by , 4 months ago
Replying to Bruce Dubbs:
Replying to Rahul Chandra:
Maybe slate this for archival? Might be too premature but svn seems to be an end package and almost no open source projects use it anymore (Arch was the last one I knew about)
I have mixed feelings about this. I agree that very few projects use it. We used it for over a decade but finally switched to git. OTOH, it does not update often and it is relatively easy to do.
Maybe we could wait for 12.3 to release then archive this package?
comment:4 by , 4 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:5 by , 4 months ago
Version 1.14.5 (7 Dec 2024, from /branches/1.14.x)
- User-visible changes:
- Developer-visible changes:
- Fix detection of zlib version 1.3 in gen-make.py on Windows
- Supress gen-make.py errors on Windows without Perl or Ruby
- Fix printf-format build warnings in swig-rb
- Add a regression test for CVE-2024-45720
- Make swig-py compatible with SWIG 4.3.0
comment:6 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commits
39a831a6b9 Update to AppStream-1.0.4. f37d9d7546 Update to subversion-1.14.5.
comment:7 by , 3 months ago
| Priority: | normal → elevated |
|---|
There was a security fix in here, CVE-2024-46901. It is marked as Low.
mod_dav_svn denial-of-service via control characters in paths
Summary:
========
It has been discovered that the patch for CVE-2013-1968 was incomplete
and unintentionally left mod_dav_svn vulnerable to control characters
in filenames.
If a path or a revision-property which contains control characters is
committed to a repository then SVN operations served by mod_dav_svn
can be disrupted.
Known vulnerable:
=================
Subversion mod_dav_svn servers through 1.14.4 (inclusive).
Known fixed:
============
Servers running Subversion 1.14.5
Details:
========
If a path which contains control characters is committed to a repository
then SVN operations served by mod_dav_svn can be disrupted by encoding
errors raised from the XML library.
This leads to disruption for users accessing the repository via HTTP.
Affected repositories can be repaired (see "Recommendations" below).
However, restoring proper operation might take some time because a
full dump/load cycle may be required.
Local repositories and svnserve repository servers (accessed via a
file://, svn://, or svn+ssh:// URL) are not affected. In these cases,
control characters have been rejected since CVE-2013-1968 was patched
in Subversion 1.6.21 and Subversion 1.7.9.
Known symptoms of the problem include:
1) 'svn checkout', 'svnsync', and other operations that attempt to
read the affected revision may produce errors like:
svn: E175009: The XML response contains invalid XML
svn: E130003: Malformed XML: not well-formed (invalid token)
2) Attempts to browse affected files or directories via the web
interface will cause the server to return:
500 Internal Server Error
Apache Subversion clients have always rejected filenames with control
characters, so control characters cannot be introduced with stock
Subversion clients. They could, however, be triggered by custom
malicious Subversion clients or by third-party client implementations.
Servers updated to Subversion 1.14.5 will reject control characters in
all cases.
Severity:
=========
CVSSv3.1 Base Score: 3.1
CVSSv3.1 Base Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
A remote authenticated attacker with commit access may be able to
corrupt repositories on a Subversion server and cause disruption for
other users.
Configurations that allow anonymous write access to the repository
will be vulnerable to this without authentication.
Recommendations:
================
We recommend all users to upgrade their servers to a known fixed
release of Subversion.
Users who are unable to upgrade may apply the patch included below.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
Repositories affected by this problem can be repaired manually:
Bad revision properties can be repaired by using svn propedit over
the file://, svn:// or svn+ssh:// protocols.
Bad paths which have entered a repository need to be removed from
history with a dump/load cycle, using svnadmin dump --exclude to
filter out the bad paths, and loading the result into a fresh
repository with svnadmin load.
Maybe slate this for archival? Might be too premature but svn seems to be an end package and almost no open source projects use it anymore (Arch was the last one I knew about)