FEDORA-2019-1f81367ac3

security update in Fedora 28 for subversion

Status: stable 6 months ago

This update includes the latest stable release of Apache Subversion, version 1.11.1. This update fixes a security issue in mod_dav_svn, CVE-2018-11803:

Malicious SVN clients can trigger a crash in mod_dav_svn by omitting the root path from a recursive directory listing request.

See https://subversion.apache.org/security/CVE-2018-11803-advisory.txt for more information.

User-visible changes:

Minor new features and improvements:

  • Conflict resolver support for added vs unversioned file
  • Conflict resolver support for unversioned directories
  • Improve help for 'svn add' and the '-N' option
  • Improve display of Mac OS name in 'svn --version --verbose'

Client-side bugfixes:

  • Fix: repos-to-WC copy with --parents doesn't create dirs (issue 4768)
  • Fix: foreign repo copy with peg/operative revisions (issue 4785)
  • Fix: foreign repo copy of file adding mergeinfo (issue 4792)
  • Fix: assertion failure using -rPREV on a working copy at r0 (issue 4532)
  • Fix: tree conflict message ends a sentence with a colon (issue 4717)

Server-side bugfixes:

  • Fix: unexpected SVN_ERR_FS_NOT_DIRECTORY errors (issue 4791)
  • Fix: mod_dav_svn's SVNUseUTF8 had no effect in some setups
  • Fix crash in mod_http2 (issue 4782)

Other tool improvements and bugfixes:

  • svndumpfilter: Clarify error messages by including node path

Bindings bugfixes:

  • JavaHL: Fix crash in client code when using external diff

Developer-visible changes:

General:

  • Fix build on systems without python in $PATH
  • Fix compiler warnings about indentation

Comments 10

This update has been submitted for testing by jorton.

This update has been pushed to testing.

works for me

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

no regressions noted

karma: +1

jorton edited this update.

jorton edited this update.

This update has been submitted for batched by jorton.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 7 months ago
in testing 7 months ago
in stable 6 months ago
modified 6 months ago

Related Bugs 2

00 #1668807 CVE-2018-11803 subversion: malicious SVN clients can crash mod_dav_svn
00 #1671271 CVE-2018-11803 subversion: malicious SVN clients can crash mod_dav_svn [fedora-all]

Automated Test Results