ports/177646: commit references a PR
dfilter service
dfilter at FreeBSD.ORG
Sat Apr 6 10:10:01 UTC 2013
The following reply was made to PR ports/177646; it has been noted by GNATS.
From: dfilter at FreeBSD.ORG (dfilter service)
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: ports/177646: commit references a PR
Date: Sat, 6 Apr 2013 10:00:43 +0000 (UTC)
Author: ohauer
Date: Sat Apr 6 10:00:28 2013
New Revision: 315739
URL: http://svnweb.freebsd.org/changeset/ports/315739
Log:
- Subversion 1.7.9 security update [1]
- Subversion 1.6.21 security update [2]
This release addesses the following issues security issues:
[1][2] CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
[1][2] CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity URLs
[1][2] CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant URLs
[1][2] CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity URLs
[1] CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT request
More information on these vulnerabilities, including the relevent advisories
and potential attack vectors and workarounds, can be found on the Subversion
security website:
http://subversion.apache.org/security/
PR: 177646
Submitted by: ohauer
Approved by: portmgr (tabthorpe, erwin), lev
Security: b6beb137-9dc0-11e2-882f-20cf30e32f6d
Modified:
head/devel/subversion/Makefile.common
head/devel/subversion/distinfo
head/devel/subversion16/Makefile.common
head/devel/subversion16/Makefile.inc
head/devel/subversion16/distinfo
head/security/vuxml/vuln.xml
Modified: head/devel/subversion/Makefile.common
==============================================================================
--- head/devel/subversion/Makefile.common Sat Apr 6 02:38:59 2013 (r315738)
+++ head/devel/subversion/Makefile.common Sat Apr 6 10:00:28 2013 (r315739)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= subversion
-PORTVERSION= 1.7.8
+PORTVERSION= 1.7.9
PORTREVISION?= 0
CATEGORIES+= devel
MASTER_SITES= ${MASTER_SITE_APACHE:S/$/:main/} \
Modified: head/devel/subversion/distinfo
==============================================================================
--- head/devel/subversion/distinfo Sat Apr 6 02:38:59 2013 (r315738)
+++ head/devel/subversion/distinfo Sat Apr 6 10:00:28 2013 (r315739)
@@ -1,5 +1,5 @@
-SHA256 (subversion17/subversion-1.7.8.tar.bz2) = fc83d4d98ccea8b7bfa8f5c20fff545c8baa7d035db930977550c51c6ca23686
-SIZE (subversion17/subversion-1.7.8.tar.bz2) = 6023912
+SHA256 (subversion17/subversion-1.7.9.tar.bz2) = f8454c585f99afed764232a5048d9b8bfd0a25a9ab8e339ea69fe1204c453ef4
+SIZE (subversion17/subversion-1.7.9.tar.bz2) = 6040347
SHA256 (subversion17/svn-book-html-r4304.tar.bz2) = a63d958b1ae70daf2ac93a53ece70a0ba0f8f7de7af3f74a665fe44b8f50ca14
SIZE (subversion17/svn-book-html-r4304.tar.bz2) = 467806
SHA256 (subversion17/svn-book-r4304.pdf) = 1b2cada79db8268fd6cd55fac4e5ee04c1e2977bbc587fa1098bd3613b9689b2
Modified: head/devel/subversion16/Makefile.common
==============================================================================
--- head/devel/subversion16/Makefile.common Sat Apr 6 02:38:59 2013 (r315738)
+++ head/devel/subversion16/Makefile.common Sat Apr 6 10:00:28 2013 (r315739)
@@ -120,6 +120,7 @@ LIB_DEPENDS+= serf-1:${PORTSDIR}/www/ser
CONFIGURE_ARGS+=--with-serf=${LOCALBASE}
PLIST_SUB+= SERF=""
.else
+CONFIGURE_ARGS+=--without-serf
PLIST_SUB+= SERF="@comment "
.endif
Modified: head/devel/subversion16/Makefile.inc
==============================================================================
--- head/devel/subversion16/Makefile.inc Sat Apr 6 02:38:59 2013 (r315738)
+++ head/devel/subversion16/Makefile.inc Sat Apr 6 10:00:28 2013 (r315739)
@@ -1,4 +1,4 @@
# $FreeBSD$
# this keeps subversion16 and ../svnmerge in sync, see pr 164854
-PORTVERSION= 1.6.20
+PORTVERSION= 1.6.21
Modified: head/devel/subversion16/distinfo
==============================================================================
--- head/devel/subversion16/distinfo Sat Apr 6 02:38:59 2013 (r315738)
+++ head/devel/subversion16/distinfo Sat Apr 6 10:00:28 2013 (r315739)
@@ -1,5 +1,5 @@
-SHA256 (subversion/subversion-1.6.20.tar.bz2) = 9ca903186bacb7c005806b1202c3fe7622e3d36d4f85859ae3edc06afdbb619b
-SIZE (subversion/subversion-1.6.20.tar.bz2) = 5572244
+SHA256 (subversion/subversion-1.6.21.tar.bz2) = efece333259a8cc37bc1af7210f2587cccd8dd484700458d324bfe3247875cd6
+SIZE (subversion/subversion-1.6.21.tar.bz2) = 5564522
SHA256 (subversion/svn-book-html.tar.bz2) = 5c4788e1f225b3186db5979b071fcc4c9543bfb5916cd62e003eea4507b8c8cb
SIZE (subversion/svn-book-html.tar.bz2) = 406484
SHA256 (subversion/svn-book.pdf) = 64e483cd27be6752eb8dfc1b00749f8dc46adfc4fb1ab1356dd8e2406d878225
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Apr 6 02:38:59 2013 (r315738)
+++ head/security/vuxml/vuln.xml Sat Apr 6 10:00:28 2013 (r315739)
@@ -51,6 +51,54 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="b6beb137-9dc0-11e2-882f-20cf30e32f6d">
+ <topic>Subversion -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>subversion</name>
+ <range><lt>1.7.9</lt></range>
+ <range><lt>1.6.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Subversion team reports:</p>
+ <blockquote cite="http://subversion.apache.org/security/CVE-2013-1845-advisory.txt">
+ <p>Subversion's mod_dav_svn Apache HTTPD server module will use excessive
+ amounts of memory when a large number of properties are set or deleted
+ on a node.</p>
+ </blockquote>
+ <blockquote cite="http://subversion.apache.org/security/CVE-2013-1846-advisory.txt">
+ <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when
+ a LOCK request is made against activity URLs.</p>
+ </blockquote>
+ <blockquote cite="http://subversion.apache.org/security/CVE-2013-1847-advisory.txt">
+ <p>Subversion's mod_dav_svn Apache HTTPD server module will crash in some
+ circumstances when a LOCK request is made against a non-existent URL.</p>
+ </blockquote>
+ <blockquote cite="http://subversion.apache.org/security/CVE-2013-1849-advisory.txt">
+ <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
+ PROPFIND request is made against activity URLs.</p>
+ </blockquote>
+ <blockquote cite="http://subversion.apache.org/security/CVE-2013-1884-advisory.txt">
+ <p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
+ log REPORT request receives a limit that is out of the allowed range.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-1845</cvename>
+ <cvename>CVE-2013-1846</cvename>
+ <cvename>CVE-2013-1847</cvename>
+ <cvename>CVE-2013-1849</cvename>
+ <cvename>CVE-2013-1884</cvename>
+ </references>
+ <dates>
+ <discovery>2013-04-05</discovery>
+ <entry>2013-04-05</entry>
+ </dates>
+ </vuln>
+
<vuln vid="eae8e3cf-9dfe-11e2-ac7f-001fd056c417">
<topic>otrs -- Information disclosure and Data manipulation</topic>
<affects>
@@ -63,10 +111,10 @@ Note: Please add new entries to the beg
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/">
- <p>An attacker with a valid agent login could manipulate URLs in the
-object linking mechanism to see titles of tickets and other objects that are not
-obliged to be seen. Furthermore, links to objects without permission can be
-placed and removed.</p>
+ <p>An attacker with a valid agent login could manipulate URLs in the
+ object linking mechanism to see titles of tickets and other objects
+ that are not obliged to be seen. Furthermore, links to objects without
+ permission can be placed and removed.</p>
</blockquote>
</body>
</description>
@@ -17163,7 +17211,7 @@ executed in your Internet Explorer while
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Subversion tram reports:</p>
+ <p>Subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1752-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will
dereference a NULL pointer if asked to deliver baselined WebDAV
_______________________________________________
svn-ports-all at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe at freebsd.org"
More information about the freebsd-ports-bugs
mailing list