Bug 152738 - CAN-2004-0397 CAN-2004-0413 subversion advisories
CAN-2004-0397 CAN-2004-0413 subversion advisories
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: subversion (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-14 12:00 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:15:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:44 EST
CAN-2004-0397:
Subversion versions up to 1.0.2 are vulnerable to a date parsing 
vulnerability which can be abused to allow remote code execution
on Subversion servers and therefore could lead to a repository
compromise.

CAN-2004-0413:
Subversion versions up to and including 1.0.4 have a potential
Denial of Service and Heap Overflow issue related to the parsing of
strings in the 'svn://' family of access protocols.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-14 12:01:45 ----

May affect rh9.

More info:

http://security.e-matters.de/advisories/082004.html
http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-14 14:25:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Mon Jun 14 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 0.27.0-3.legacy
- - security patches for CAN-2004-0397 and CAN-2004-0413

2f2d923689531c3dd405e9c3c3e730eb6503aa3e  subversion-0.27.0-3.legacy.i386.rpm
c430ffcef36bf7440c45b3aa0e78e79494a60aa6  subversion-0.27.0-3.legacy.src.rpm
24c4726f681592837d300a937d77ed0f0043d3c2  subversion-devel-0.27.0-3.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/subversion-devel-0.27.0-3.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAzkHWLMAs/0C4zNoRAo1fAJ9zeac2GgLsMYHGw1cFV9Uoa1zqiACfenKu
zGI0IYrwTfg6fTWUWCU5DB0=
=4Q/z
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-07-04 02:47:03 ----

I did a QA on the RH9 packages in comment #2:

SHA1 is ok.
Spec file and the patches looks ok.
Installs ok.
I did a basic functionallity test by checking out code and it is working as
exepected.

I wote for publish.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-23 18:00:46 ----

Packages were pushed to updates-testing



------- Additional Comments From sheltren@cs.ucsb.edu 2005-03-04 13:52:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying packages from updates-testing:

9d08a9754083238df10241291832f90892f25e8f  subversion-0.27.0-4.legacy.i386.rpm
68609fdd91802c5f3fb2f6d1a0fe9ba8e20ece39  subversion-devel-0.27.0-4.legacy.i386.rpm

Signatures are good
Packages install OK
Tests of basic svnadmin/svn commands work fine
Created repository, checked out, updated, commited, dump repository, etc...

VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCKPSuKe7MLJjUbNMRAodZAKCUGriyWckWODejQi8Uw5xYeQHxhQCgoYWZ
GLT6hh+NCAPiKe6DfoHftTM=
=C8Hr
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-07 03:23:49 ----

Packages were officially released



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1748 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1748
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.