CAN-2004-0397: Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise. CAN-2004-0413: Subversion versions up to and including 1.0.4 have a potential Denial of Service and Heap Overflow issue related to the parsing of strings in the 'svn://' family of access protocols. ------- Additional Comments From marcdeslauriers 2004-06-14 12:01:45 ---- May affect rh9. More info: http://security.e-matters.de/advisories/082004.html http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt ------- Additional Comments From marcdeslauriers 2004-06-14 14:25:33 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for rh9: Changelog: * Mon Jun 14 2004 Marc Deslauriers <marcdeslauriers> 0.27.0-3.legacy - - security patches for CAN-2004-0397 and CAN-2004-0413 2f2d923689531c3dd405e9c3c3e730eb6503aa3e subversion-0.27.0-3.legacy.i386.rpm c430ffcef36bf7440c45b3aa0e78e79494a60aa6 subversion-0.27.0-3.legacy.src.rpm 24c4726f681592837d300a937d77ed0f0043d3c2 subversion-devel-0.27.0-3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/subversion-devel-0.27.0-3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzkHWLMAs/0C4zNoRAo1fAJ9zeac2GgLsMYHGw1cFV9Uoa1zqiACfenKu zGI0IYrwTfg6fTWUWCU5DB0= =4Q/z -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-07-04 02:47:03 ---- I did a QA on the RH9 packages in comment #2: SHA1 is ok. Spec file and the patches looks ok. Installs ok. I did a basic functionallity test by checking out code and it is working as exepected. I wote for publish. ------- Additional Comments From marcdeslauriers 2005-02-23 18:00:46 ---- Packages were pushed to updates-testing ------- Additional Comments From sheltren.edu 2005-03-04 13:52:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verifying packages from updates-testing: 9d08a9754083238df10241291832f90892f25e8f subversion-0.27.0-4.legacy.i386.rpm 68609fdd91802c5f3fb2f6d1a0fe9ba8e20ece39 subversion-devel-0.27.0-4.legacy.i386.rpm Signatures are good Packages install OK Tests of basic svnadmin/svn commands work fine Created repository, checked out, updated, commited, dump repository, etc... VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCKPSuKe7MLJjUbNMRAodZAKCUGriyWckWODejQi8Uw5xYeQHxhQCgoYWZ GLT6hh+NCAPiKe6DfoHftTM= =C8Hr -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-07 03:23:49 ---- Packages were officially released ------- Bug moved to this database by dkl 2005-03-30 18:25 ------- This bug previously known as bug 1748 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1748 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.