[SECURITY] Fedora 20 Update: subversion-1.8.8-1.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 15 15:17:32 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-3365
2014-03-04 04:01:24
--------------------------------------------------------------------------------

Name        : subversion
Product     : Fedora 20
Version     : 1.8.8
Release     : 1.fc20
URL         : http://subversion.apache.org/
Summary     : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes.  Subversion only stores the differences between versions,
instead of every complete file.  Subversion is intended to be a
compelling replacement for CVS.

--------------------------------------------------------------------------------
Update Information:

This update includes the latest stable release of Subversion, fixing a security issue (CVE-2014-0032):

Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives an OPTIONS request against the server root and Subversion is configured to handle the server root and SVNListParentPath is on.

This can lead to a DoS.  There are no known instances of this problem being exploited in the wild, but the details of how to exploit it have been disclosed on the Subversion development mailing list.

For more information, see:

https://subversion.apache.org/security/CVE-2014-0032-advisory.txt

A number of client-side bug fixes are included in this update:

* fix automatic relocate for wcs not at repository root
* wc: improve performance when used with SQLite 3.8
* copy: fix some scenarios that broke the working copy
* move: fix errors when moving files between an external and the parent working copy
* log: resolve performance regression in certain scenarios
* merge: decrease work to detect differences between 3 files
* commit: don't change file permissions inappropriately
* commit: fix assertion due to invalid pool lifetime
* version: don't cut off the distribution version on Linux
* flush stdout before exiting to avoid information being lost
* status: fix missing sentinel value on warning codes
* update/switch: improve some WC db queries that may return incorrect results depending on how SQLite is built

Server-side bugfixes:

* reduce memory usage during checkout and export
* fsfs: create rep-cache.db with proper permissions
* mod_dav_svn: prevent crashes with SVNListParentPath on (CVE-2014-0032)
* mod_dav_svn: fix SVNAllowBulkUpdates directive merging
* mod_dav_svn: include requested property changes in reports
* svnserve: correct default cache size in help text
* svnadmin dump: reduce size of dump files with '--deltas'
* resolve integer underflow that resulted in infinite loops

--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 28 2014 Joe Orton <jorton at redhat.com> - 1.8.8-1
- update to 1.8.8
* Thu Jan 23 2014 Joe Orton <jorton at redhat.com> - 1.8.5-4
- fix _httpd_mmn expansion in absence of httpd-devel
* Mon Jan  6 2014 Joe Orton <jorton at redhat.com> - 1.8.5-3
- fix permissions of /run/svnserve (#1048422)
* Tue Dec 10 2013 Joe Orton <jorton at redhat.com> - 1.8.5-2
- don't drop -Wall when building swig Perl bindings (#1037341)
* Tue Nov 26 2013 Joe Orton <jorton at redhat.com> - 1.8.5-1
- update to 1.8.5 (#1034130)
- add fix for wc-queries-test breakage (h/t Andreas Stieger, r1542774)
* Mon Nov 18 2013 Joe Orton <jorton at redhat.com> - 1.8.4-2
- add fix for ppc breakage (Andreas Stieger, #985582)
* Tue Oct 29 2013 Joe Orton <jorton at redhat.com> - 1.8.4-1
- update to 1.8.4
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1062042 - CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on
        https://bugzilla.redhat.com/show_bug.cgi?id=1062042
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update subversion' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list