This release addesses five security issues: CVE-2013-1845: mod_dav_svn excessive memory usage from property changes CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request More information on these vulnerabilities, including the relevent advisories and potential attack vectors and workarounds, can be found on the Subversion security website: http://subversion.apache.org/security/
Author: ohauer Date: Sat Apr 6 10:00:28 2013 New Revision: 315739 URL: http://svnweb.freebsd.org/changeset/ports/315739 Log: - Subversion 1.7.9 security update [1] - Subversion 1.6.21 security update [2] This release addesses the following issues security issues: [1][2] CVE-2013-1845: mod_dav_svn excessive memory usage from property changes [1][2] CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs [1][2] CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs [1][2] CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs [1] CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request More information on these vulnerabilities, including the relevent advisories and potential attack vectors and workarounds, can be found on the Subversion security website: http://subversion.apache.org/security/ PR: 177646 Submitted by: ohauer Approved by: portmgr (tabthorpe, erwin), lev Security: b6beb137-9dc0-11e2-882f-20cf30e32f6d Modified: head/devel/subversion/Makefile.common head/devel/subversion/distinfo head/devel/subversion16/Makefile.common head/devel/subversion16/Makefile.inc head/devel/subversion16/distinfo head/security/vuxml/vuln.xml Modified: head/devel/subversion/Makefile.common ============================================================================== --- head/devel/subversion/Makefile.common Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion/Makefile.common Sat Apr 6 10:00:28 2013 (r315739) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= subversion -PORTVERSION= 1.7.8 +PORTVERSION= 1.7.9 PORTREVISION?= 0 CATEGORIES+= devel MASTER_SITES= ${MASTER_SITE_APACHE:S/$/:main/} \ Modified: head/devel/subversion/distinfo ============================================================================== --- head/devel/subversion/distinfo Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion/distinfo Sat Apr 6 10:00:28 2013 (r315739) @@ -1,5 +1,5 @@ -SHA256 (subversion17/subversion-1.7.8.tar.bz2) = fc83d4d98ccea8b7bfa8f5c20fff545c8baa7d035db930977550c51c6ca23686 -SIZE (subversion17/subversion-1.7.8.tar.bz2) = 6023912 +SHA256 (subversion17/subversion-1.7.9.tar.bz2) = f8454c585f99afed764232a5048d9b8bfd0a25a9ab8e339ea69fe1204c453ef4 +SIZE (subversion17/subversion-1.7.9.tar.bz2) = 6040347 SHA256 (subversion17/svn-book-html-r4304.tar.bz2) = a63d958b1ae70daf2ac93a53ece70a0ba0f8f7de7af3f74a665fe44b8f50ca14 SIZE (subversion17/svn-book-html-r4304.tar.bz2) = 467806 SHA256 (subversion17/svn-book-r4304.pdf) = 1b2cada79db8268fd6cd55fac4e5ee04c1e2977bbc587fa1098bd3613b9689b2 Modified: head/devel/subversion16/Makefile.common ============================================================================== --- head/devel/subversion16/Makefile.common Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/Makefile.common Sat Apr 6 10:00:28 2013 (r315739) @@ -120,6 +120,7 @@ LIB_DEPENDS+= serf-1:${PORTSDIR}/www/ser CONFIGURE_ARGS+=--with-serf=${LOCALBASE} PLIST_SUB+= SERF="" .else +CONFIGURE_ARGS+=--without-serf PLIST_SUB+= SERF="@comment " .endif Modified: head/devel/subversion16/Makefile.inc ============================================================================== --- head/devel/subversion16/Makefile.inc Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/Makefile.inc Sat Apr 6 10:00:28 2013 (r315739) @@ -1,4 +1,4 @@ # $FreeBSD$ # this keeps subversion16 and ../svnmerge in sync, see pr 164854 -PORTVERSION= 1.6.20 +PORTVERSION= 1.6.21 Modified: head/devel/subversion16/distinfo ============================================================================== --- head/devel/subversion16/distinfo Sat Apr 6 02:38:59 2013 (r315738) +++ head/devel/subversion16/distinfo Sat Apr 6 10:00:28 2013 (r315739) @@ -1,5 +1,5 @@ -SHA256 (subversion/subversion-1.6.20.tar.bz2) = 9ca903186bacb7c005806b1202c3fe7622e3d36d4f85859ae3edc06afdbb619b -SIZE (subversion/subversion-1.6.20.tar.bz2) = 5572244 +SHA256 (subversion/subversion-1.6.21.tar.bz2) = efece333259a8cc37bc1af7210f2587cccd8dd484700458d324bfe3247875cd6 +SIZE (subversion/subversion-1.6.21.tar.bz2) = 5564522 SHA256 (subversion/svn-book-html.tar.bz2) = 5c4788e1f225b3186db5979b071fcc4c9543bfb5916cd62e003eea4507b8c8cb SIZE (subversion/svn-book-html.tar.bz2) = 406484 SHA256 (subversion/svn-book.pdf) = 64e483cd27be6752eb8dfc1b00749f8dc46adfc4fb1ab1356dd8e2406d878225 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Apr 6 02:38:59 2013 (r315738) +++ head/security/vuxml/vuln.xml Sat Apr 6 10:00:28 2013 (r315739) @@ -51,6 +51,54 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="b6beb137-9dc0-11e2-882f-20cf30e32f6d"> + <topic>Subversion -- multiple vulnerabilities</topic> + <affects> + <package> + <name>subversion</name> + <range><lt>1.7.9</lt></range> + <range><lt>1.6.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Subversion team reports:</p> + <blockquote cite="http://subversion.apache.org/security/CVE-2013-1845-advisory.txt"> + <p>Subversion's mod_dav_svn Apache HTTPD server module will use excessive + amounts of memory when a large number of properties are set or deleted + on a node.</p> + </blockquote> + <blockquote cite="http://subversion.apache.org/security/CVE-2013-1846-advisory.txt"> + <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when + a LOCK request is made against activity URLs.</p> + </blockquote> + <blockquote cite="http://subversion.apache.org/security/CVE-2013-1847-advisory.txt"> + <p>Subversion's mod_dav_svn Apache HTTPD server module will crash in some + circumstances when a LOCK request is made against a non-existent URL.</p> + </blockquote> + <blockquote cite="http://subversion.apache.org/security/CVE-2013-1849-advisory.txt"> + <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a + PROPFIND request is made against activity URLs.</p> + </blockquote> + <blockquote cite="http://subversion.apache.org/security/CVE-2013-1884-advisory.txt"> + <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a + log REPORT request receives a limit that is out of the allowed range.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-1845</cvename> + <cvename>CVE-2013-1846</cvename> + <cvename>CVE-2013-1847</cvename> + <cvename>CVE-2013-1849</cvename> + <cvename>CVE-2013-1884</cvename> + </references> + <dates> + <discovery>2013-04-05</discovery> + <entry>2013-04-05</entry> + </dates> + </vuln> + <vuln vid="eae8e3cf-9dfe-11e2-ac7f-001fd056c417"> <topic>otrs -- Information disclosure and Data manipulation</topic> <affects> @@ -63,10 +111,10 @@ Note: Please add new entries to the beg <body xmlns="http://www.w3.org/1999/xhtml"> <p>The OTRS Project reports:</p> <blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/"> - <p>An attacker with a valid agent login could manipulate URLs in the -object linking mechanism to see titles of tickets and other objects that are not -obliged to be seen. Furthermore, links to objects without permission can be -placed and removed.</p> + <p>An attacker with a valid agent login could manipulate URLs in the + object linking mechanism to see titles of tickets and other objects + that are not obliged to be seen. Furthermore, links to objects without + permission can be placed and removed.</p> </blockquote> </body> </description> @@ -17163,7 +17211,7 @@ executed in your Internet Explorer while </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>Subversion tram reports:</p> + <p>Subversion team reports:</p> <blockquote cite="http://subversion.apache.org/security/CVE-2011-1752-advisory.txt"> <p>Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Submitted!
Responsible Changed From-To: freebsd-ports-bugs->ohauer