fe176e6438
HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:
CVE-2021-28544
"SVN authz protected copyfrom paths regression"
The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc
A brief summary of this advisory follows:
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Evgeny Kotkov
CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"
The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc
A brief summary of this advisory follows:
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Thomas Weißschuh
11 lines
415 B
Makefile
11 lines
415 B
Makefile
# $NetBSD: Makefile.version,v 1.88 2022/04/12 16:24:28 bsiegert Exp $
|
|
|
|
# When updating subversion, all packages are updated at the same time
|
|
# to have a consistent set of packages. A particularly tricky aspect
|
|
# is our interaction with the svn build system. See the make target
|
|
# "svn-build-outputs-hack" in devel/subversion-base/Makefile when
|
|
# changing the version.
|
|
|
|
.if !defined(SVNVER)
|
|
SVNVER= 1.14.2
|
|
.endif
|