Bug 68015 - [patch] Subversion upgrade to 1.0.5
Summary: [patch] Subversion upgrade to 1.0.5
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Lev A. Serebryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-16 17:00 UTC by Henry Karpatskij
Modified: 2004-06-17 08:30 UTC (History)
1 user (show)

See Also:

Attachments
subversion.patch (667 bytes, patch)
2004-06-16 17:00 UTC, Henry Karpatskij 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Henry Karpatskij 2004-06-16 17:00:36 UTC 
	Subversion 1.0.4 contains remotely exploitable vulnerability which is fixed in the current release, 1.0.5.  However, the current ported version is 1.0.4.  The advisory can be found at <URI: http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt>

Fix: I diffed the sources between 1.0.4 and 1.0.5 release and it seems they've only changed the vulnerable part of the code.  Assuming that it wont break up the building process, just changing the PORTVERSION and distinfo to match the 1.0.5 version should do it - it compiled ok for me (I'm using apache2 APR).
	I pasted the (quite simple) patch below:
How-To-Repeat: 	Run the svnserve and wait... :-)
Comment 1 Lev A. Serebryakov freebsd_committer freebsd_triage 2004-06-17 07:38:41 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->lev


I'm maintainer.
Comment 2 Lev A. Serebryakov freebsd_committer freebsd_triage 2004-06-17 07:39:00 UTC 
State Changed
From-To: open->closed


Committed, thanks
Comment 3 Oliver Eikemeier 2004-06-17 08:27:20 UTC 
Since this fixes a security vulnerability, you might want to add an 
patch for

   ports/security/vuxml/vuln.xml
or
   ports/security/portaudit-db/database/portaudit.txt

next time (Not both, the first is preferred).

Thanks for fixing this
-Oliver