Bug 152738 - CAN-2004-0397 CAN-2004-0413 subversion advisories
Summary: CAN-2004-0397 CAN-2004-0413 subversion advisories
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: subversion
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-14 16:00 UTC by Marc Deslauriers
Modified: 2007-04-18 17:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-05 23:15:53 UTC
Embargoed:

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:25:44 UTC 
CAN-2004-0397:
Subversion versions up to 1.0.2 are vulnerable to a date parsing 
vulnerability which can be abused to allow remote code execution
on Subversion servers and therefore could lead to a repository
compromise.

CAN-2004-0413:
Subversion versions up to and including 1.0.4 have a potential
Denial of Service and Heap Overflow issue related to the parsing of
strings in the 'svn://' family of access protocols.



------- Additional Comments From marcdeslauriers 2004-06-14 12:01:45 ----

May affect rh9.

More info:

http://security.e-matters.de/advisories/082004.html
http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt




------- Additional Comments From marcdeslauriers 2004-06-14 14:25:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Mon Jun 14 2004 Marc Deslauriers <marcdeslauriers> 0.27.0-3.legacy
- - security patches for CAN-2004-0397 and CAN-2004-0413

2f2d923689531c3dd405e9c3c3e730eb6503aa3e  subversion-0.27.0-3.legacy.i386.rpm
c430ffcef36bf7440c45b3aa0e78e79494a60aa6  subversion-0.27.0-3.legacy.src.rpm
24c4726f681592837d300a937d77ed0f0043d3c2  subversion-devel-0.27.0-3.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/subversion-0.27.0-3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/subversion-devel-0.27.0-3.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAzkHWLMAs/0C4zNoRAo1fAJ9zeac2GgLsMYHGw1cFV9Uoa1zqiACfenKu
zGI0IYrwTfg6fTWUWCU5DB0=
=4Q/z
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-07-04 02:47:03 ----

I did a QA on the RH9 packages in comment #2:

SHA1 is ok.
Spec file and the patches looks ok.
Installs ok.
I did a basic functionallity test by checking out code and it is working as
exepected.

I wote for publish.



------- Additional Comments From marcdeslauriers 2005-02-23 18:00:46 ----

Packages were pushed to updates-testing



------- Additional Comments From sheltren.edu 2005-03-04 13:52:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying packages from updates-testing:

9d08a9754083238df10241291832f90892f25e8f  subversion-0.27.0-4.legacy.i386.rpm
68609fdd91802c5f3fb2f6d1a0fe9ba8e20ece39  subversion-devel-0.27.0-4.legacy.i386.rpm

Signatures are good
Packages install OK
Tests of basic svnadmin/svn commands work fine
Created repository, checked out, updated, commited, dump repository, etc...

VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCKPSuKe7MLJjUbNMRAodZAKCUGriyWckWODejQi8Uw5xYeQHxhQCgoYWZ
GLT6hh+NCAPiKe6DfoHftTM=
=C8Hr
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2005-03-07 03:23:49 ----

Packages were officially released



------- Bug moved to this database by dkl 2005-03-30 18:25 -------

This bug previously known as bug 1748 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1748
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Note You need to log in before you can comment on or make changes to this bug.