From nobody Fri Apr 15 19:47:49 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 276FD2D890C;
Fri, 15 Apr 2022 19:47:50 +0000 (UTC)
(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Kg6LZ0ZXBz4kFh;
Fri, 15 Apr 2022 19:47:50 +0000 (UTC)
(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
t=1650052070;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=gNu8nOImQF5v3+PrTbaizm0gKuBbvSvJsvpCqSvaKEI=;
b=M+ao00mmYCfSPqO6wDBo1chyIpBLD7VY3cn4RGnNNWRdLYNQVo5U65oAPjZmGnKYPz0Jyt
WNgXy63DYVbn9pUsmoI3GPLVuek5ubMVahNOWse7QoOdXSWmaSXzzNmdH7a3O1wFSEb6AZ
WdvyyfcOz6C6rGUtiAmDBM27D6smMjBmUrpkRGEzrjpzocmuGUubyBMpOLHVq4lEgsesLA
xuQ+agQY/tDylimIqHeafrqAlHEZAbZMQomnwopjUP1lMOFCWAIHXRGdqRksRck93mgsuZ
2blCuiUhdfvLf37ZwA5FRPdiT9XTNZwR3lg0wLCv5dGLlWDGphBQ/9vD8LKgcA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E3E181B7D0;
Fri, 15 Apr 2022 19:47:49 +0000 (UTC)
(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23FJlntm096959;
Fri, 15 Apr 2022 19:47:49 GMT
(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23FJlnZQ096958;
Fri, 15 Apr 2022 19:47:49 GMT
(envelope-from git)
Date: Fri, 15 Apr 2022 19:47:49 GMT
Message-Id: <202204151947.23FJlnZQ096958@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
dev-commits-ports-main@FreeBSD.org
From: Rene Ladan Subversion project reports:
- Subversion servers reveal 'copyfrom' paths that should be hidden according
- to configured path-based authorization (authz) rules. When a node has been
- copied from a protected location, users with access to the copy can see the
- 'copyfrom' path of the original. This also reveals the fact that the node
- was copied. Only the 'copyfrom' path is revealed; not its contents. Both
- httpd and svnserve servers are vulnerable.
-
- While looking up path-based authorization rules, mod_dav_svn servers
- may attempt to use memory which has already been freed.
-
-
-
+ Subversion servers reveal 'copyfrom' paths that should be hidden according
+ to configured path-based authorization (authz) rules. When a node has been
+ copied from a protected location, users with access to the copy can see the
+ 'copyfrom' path of the original. This also reveals the fact that the node
+ was copied. Only the 'copyfrom' path is revealed; not its contents. Both
+ httpd and svnserve servers are vulnerable.
+
++ While looking up path-based authorization rules, mod_dav_svn servers + may attempt to use memory which has already been freed. +
+