diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2022-04-12 16:24:28 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2022-04-12 16:24:28 +0000 |
commit | 88e98f220ca5e6441b61e1c72323954741a6ed13 (patch) | |
tree | 70aeb79d84fdb27e9b5344bf5b726486c7620100 | |
parent | 33143c374e6678f832aa78199a61dbad4200f687 (diff) | |
download | pkgsrc-88e98f220ca5e6441b61e1c72323954741a6ed13.tar.gz |
subversion: update to 1.4.2 (security).
HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:
CVE-2021-28544
"SVN authz protected copyfrom paths regression"
The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc
A brief summary of this advisory follows:
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Evgeny Kotkov
CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"
The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc
A brief summary of this advisory follows:
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Thomas Weißschuh
-rw-r--r-- | devel/java-subversion/Makefile | 3 | ||||
-rw-r--r-- | devel/p5-subversion/Makefile | 3 | ||||
-rw-r--r-- | devel/py-subversion/Makefile | 3 | ||||
-rw-r--r-- | devel/ruby-subversion/Makefile | 3 | ||||
-rw-r--r-- | devel/subversion-base/Makefile | 3 | ||||
-rw-r--r-- | devel/subversion/Makefile.version | 4 | ||||
-rw-r--r-- | devel/subversion/distinfo | 8 |
7 files changed, 11 insertions, 16 deletions
diff --git a/devel/java-subversion/Makefile b/devel/java-subversion/Makefile index f353569a2c1..83df852ee5d 100644 --- a/devel/java-subversion/Makefile +++ b/devel/java-subversion/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.61 2021/12/08 16:03:59 adam Exp $ +# $NetBSD: Makefile,v 1.62 2022/04/12 16:24:28 bsiegert Exp $ PKGNAME= java-subversion-${SVNVER} -PKGREVISION= 3 COMMENT= Java bindings for Subversion MAKE_JOBS_SAFE= no diff --git a/devel/p5-subversion/Makefile b/devel/p5-subversion/Makefile index 6b5e9cc6d6f..a4be2150301 100644 --- a/devel/p5-subversion/Makefile +++ b/devel/p5-subversion/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.121 2021/12/08 16:04:04 adam Exp $ +# $NetBSD: Makefile,v 1.122 2022/04/12 16:24:28 bsiegert Exp $ PKGNAME= p5-subversion-${SVNVER} -PKGREVISION= 3 COMMENT= Perl bindings for Subversion .include "../../devel/subversion/Makefile.common" diff --git a/devel/py-subversion/Makefile b/devel/py-subversion/Makefile index aaed2132a49..f14f3605f51 100644 --- a/devel/py-subversion/Makefile +++ b/devel/py-subversion/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.94 2021/12/08 16:04:05 adam Exp $ +# $NetBSD: Makefile,v 1.95 2022/04/12 16:24:28 bsiegert Exp $ PKGNAME= ${PYPKGPREFIX}-subversion-${SVNVER} -PKGREVISION= 3 COMMENT= Python bindings and tools for Subversion .include "../../devel/subversion/Makefile.common" diff --git a/devel/ruby-subversion/Makefile b/devel/ruby-subversion/Makefile index f0d20f73940..ac0598ca228 100644 --- a/devel/ruby-subversion/Makefile +++ b/devel/ruby-subversion/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.83 2021/12/08 16:04:07 adam Exp $ +# $NetBSD: Makefile,v 1.84 2022/04/12 16:24:28 bsiegert Exp $ PKGNAME= ${RUBY_PKGPREFIX}-subversion-${SVNVER} -PKGREVISION= 3 COMMENT= Ruby bindings for Subversion .include "../../devel/subversion/Makefile.common" diff --git a/devel/subversion-base/Makefile b/devel/subversion-base/Makefile index 39d61b1a42c..c52b250e1c3 100644 --- a/devel/subversion-base/Makefile +++ b/devel/subversion-base/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.129 2021/12/08 16:02:03 adam Exp $ +# $NetBSD: Makefile,v 1.130 2022/04/12 16:24:28 bsiegert Exp $ PKGNAME= subversion-base-${SVNVER} -PKGREVISION= 3 COMMENT= Version control system, base programs and libraries # on at least solaris, configure fails to figure out diff --git a/devel/subversion/Makefile.version b/devel/subversion/Makefile.version index e7f8d9b278e..c7df3f04a10 100644 --- a/devel/subversion/Makefile.version +++ b/devel/subversion/Makefile.version @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.version,v 1.87 2021/02/14 15:09:19 adam Exp $ +# $NetBSD: Makefile.version,v 1.88 2022/04/12 16:24:28 bsiegert Exp $ # When updating subversion, all packages are updated at the same time # to have a consistent set of packages. A particularly tricky aspect @@ -7,5 +7,5 @@ # changing the version. .if !defined(SVNVER) -SVNVER= 1.14.1 +SVNVER= 1.14.2 .endif diff --git a/devel/subversion/distinfo b/devel/subversion/distinfo index 8561a10cf59..c6e79425877 100644 --- a/devel/subversion/distinfo +++ b/devel/subversion/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.118 2021/10/26 10:19:57 nia Exp $ +$NetBSD: distinfo,v 1.119 2022/04/12 16:24:28 bsiegert Exp $ -BLAKE2s (subversion-1.14.1.tar.bz2) = af51085e4a85be8367c51e407958a56118c0bfedda1a6f77576597e092662f42 -SHA512 (subversion-1.14.1.tar.bz2) = 0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd -Size (subversion-1.14.1.tar.bz2) = 8504612 bytes +BLAKE2s (subversion-1.14.2.tar.bz2) = efb49dfb51b3f6c51ac7fe41b3dc593efeef1f9c2fdfa51567ab3940627162ea +SHA512 (subversion-1.14.2.tar.bz2) = 20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc +Size (subversion-1.14.2.tar.bz2) = 8606570 bytes SHA1 (patch-Makefile.in) = 2df6c733d563c0bc7e0d1b4b6e6e00f82ea8c176 SHA1 (patch-configure) = cca6c305c28005496df0913637a9eb778a846fc0 SHA1 (patch-subversion_bindings_swig_perl_native_Makefile.PL.in) = 3fadde312693f2a304cd7e348c66cbd373c57854 |