Matt Lewis discovered an integer over flaw in the subversion server. A user with commit access to a repository could send a specially crafted commit that could cause the subversion server to crash or possibly execute arbitrary code with the permissions of the server.
Public now: http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
The advisory indicates these are heap overflow issues, not an integer overflow issue (just to clarify).
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1203 https://rhn.redhat.com/errata/RHSA-2009-1203.html
subversion-1.6.4-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
subversion-1.6.4-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
> subversion-1.6.4-2.fc10 has been pushed ... Despite of comment #6, and FEDORA-2009-8432 annoucement, so far this update did not show up in Fedora 10 repositories. Other F10 packages annouced at the same time and later, and also subversion-1.6.4-2.fc11 for F11, already did.
Michal: https://fedorahosted.org/bodhi/ticket/350
> https://fedorahosted.org/bodhi/ticket/350 It appears that "Priority: major" of this ticket is not so major after all. It does not seem to have any repository effects after a week.
subversion-1.6.4-2.fc10 at last showed up on repos. The catch is that this took over two weeks for a security update. Smells like a problem to me although I do not know where.