[SECURITY] Fedora 13 Update: subversion-1.6.13-1.fc13

Thu Oct 28 05:47:03 UTC 2010

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-16136
2010-10-11 18:57:42
--------------------------------------------------------------------------------

Name        : subversion
Product     : Fedora 13
Version     : 1.6.13
Release     : 1.fc13
URL         : http://subversion.apache.org/
Summary     : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes.  Subversion only stores the differences between versions,
instead of every complete file.  Subversion is intended to be a
compelling replacement for CVS.

--------------------------------------------------------------------------------
Update Information:

This update includes the latest stable release of Subversion, version 1.6.13.

Subversion servers up to 1.6.12 (inclusive) making use of the
"SVNPathAuthz short_circuit" mod_dav_svn configuration setting have
a bug which may allow users to write and/or read portions of the
repository to which they are not intended to have access.  This issue is fixed in this update.

See http://subversion.apache.org/security/CVE-2010-3315-advisory.txt for further details

A number of bug fixes are also included:

* don't drop properties during foreign-repo merges
* improve auto-props failure error message
* improve error message for 403 status with ra_neon
* don't allow 'merge --reintegrate' for 2-url merges
* improve handling of missing fsfs.conf during hotcopy
* escape unsafe characters in a URL during export
* don't leak stale locks in FSFS
* better detect broken working copies during update over ra_neon
* fsfs: make rev files read-only
* properly canonicalize a URL
* fix wc corruption with 'commit --depth=empty'
* permissions fixes when doing reintegrate merges
* fix mergeinfo miscalculation during 2-url merges
* fix error transmission problems in svnserve
* fixed: record-only merges create self-referential mergeinfo
* make 'svnmucc propset' handle existing and non-existing URLs
* add new 'propsetf' subcommand to svnmucc
* emit a warning about copied dirs during ci with limited depth

--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct  5 2010 Joe Orton <jorton at redhat.com> - 1.6.13-1
- update to 1.6.13
- add svnserve init script
- split out -libs subpackage
* Wed Jul  7 2010 Joe Orton <jorton at redhat.com> - 1.6.12-1
- update to 1.6.12 (#586629)
* Sat Apr 17 2010 Joe Orton <jorton at redhat.com> - 1.6.11-1
- update to 1.6.11
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #640317 - CVE-2010-3315 Subversion: Access restriction bypass by checkout of the root of the repository
        https://bugzilla.redhat.com/show_bug.cgi?id=640317
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update subversion' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------