Fedora 21: subversion Security Update
Summary
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.
Update Information:
This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.
Three security vulnerabilities are fixed in this update:
* CVE-2015-0202: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt
* CVE-2015-0248: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
* CVE-2015-0251: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt
In addition, the following changes are included in the Subversion 1.8.13 update:
**Client-side bugfixes:**
* ra_serf: prevent abort of commits that have already succeeded
* ra_serf: support case-insensitivity in HTTP headers
* better error message if an external is shadowed
* ra_svn: fix reporting of directory read errors
* fix a redirect handling bug in 'svn log' over HTTP
* properly copy tree conflict information
* fix 'svn patch' output for reordered hunks * svnrdump load: don't load wrong props with no-deltas dump * fix working copy corruption with relative file external * don't crash if config file is unreadable
* svn resolve: don't ask a question with only one answer
* fix assertion failure in svn move
* working copy performance improvements
* handle existing working copies which become externals
* fix recording of WC meta-data for foreign repos copies
* fix calculating repository path of replaced directories
* fix calculating repository path after commit of switched nodes
* svnrdump: don't provide HEAD+1 as base revision for deletes
* don't leave conflict markers on files that are moved
* avoid unnecessary subtree mergeinfo recording
* fix diff of a locally copied directory with props
**Server-side bugfixes:**
* fsfs: fix a problem verifying pre-1.4 repos used with 1.8
* svnadmin freeze: fix memory allocation error
* svnadmin load: tolerate invalid mergeinfo at r0
* svnadmin load: strip references to r1 from mergeinfo * svnsync: strip any r0 references from mergeinfo * fsfs: reduce memory consumption when operating on dag nodes
* reject invalid get-location-segments requests in mod_dav_svn and svnserve
* mod_dav_svn: reject invalid txnprop change requests
**Client-side and server-side bugfixes:**
* fix undefined behaviour in string buffer routines
* fix consistency issues with APR r/w locks on Windows
* fix occasional SEGV if threads load DSOs in parallel
* properly duplicate svn error objects
* fix use-after-free in config parser
Change Log
* Tue Jul 14 2015 Joe Orton
References
[ 1 ] Bug #1205138 - CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers https://bugzilla.redhat.com/show_bug.cgi?id=1205138 [ 2 ] Bug #1205134 - CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests https://bugzilla.redhat.com/show_bug.cgi?id=1205134 [ 3 ] Bug #1205140 - CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions https://bugzilla.redhat.com/show_bug.cgi?id=1205140
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update subversion' at the command line. For more information, refer to "Managing Software with yum", available at .