Security update for subversion
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2016:3073-1
Final
1
1
2016-12-09T16:26:00Z
current
2016-12-09T16:26:00Z
2016-12-09T16:26:00Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for subversion
This update for subversion fixes the following issues:
- Version update to 1.9.5:
* Unrestricted XML entity expansion in mod_dontdothat and Subversion clients
using http(s)://
(boo#1011552, CVE-2016-8734)
- Client-side bugfixes:
* fix accessing non-existent paths during reintegrate merge (r1766699 et al)
* fix handling of newly secured subdirectories in working copy (r1724448)
* info: remove trailing whitespace in --show-item=revision (issue #4660)
* fix recording wrong revisions for tree conflicts (r1734106)
* gpg-agent: improve discovery of gpg-agent sockets (r1766327)
* gpg-agent: fix file descriptor leak (r1766323)
* resolve: fix --accept=mine-full for binary files (issue #4647)
* merge: fix possible crash (issue #4652)
* resolve: fix possible crash (r1748514)
* fix potential crash in Win32 crash reporter (r1663253 et al)
- Server-side bugfixes:
* fsfs: fix 'offset too large' error during pack (issue #4657)
* svnserve: enable hook script environments (r1769152)
* fsfs: fix possible data reconstruction error (issue #4658)
* fix source of spurious 'incoming edit' tree conflicts (r1770108)
* fsfs: improve caching for large directories (r1721285)
* fsfs: fix crash when encountering all-zero checksums (r1759686)
* fsfs: fix potential source of repository corruptions (r1756266)
* mod_dav_svn: fix excessive memory usage with mod_headers/mod_deflate
(issue #3084)
* mod_dav_svn: reduce memory usage during GET requests (r1757529 et al)
* fsfs: fix unexpected 'database is locked' errors (r1741096 et al)
* fsfs: fix opening old repositories without db/format files (r1720015)
- Client-side and server-side bugfixes:
* fix possible crash when reading invalid configuration files (r1715777)
- Bindings bugfixes:
* swig-pl: do not corrupt '{DATE}' revision variable (r1767768)
* javahl: fix temporary accepting SSL server certificates (r1764851)
* swig-pl: fix possible stack corruption (r1683266, r1683267)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2016-12/msg00061.html
E-Mail link for openSUSE-SU-2016:3073-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.2
libsvn_auth_gnome_keyring-1-0-1.9.5-3.2
libsvn_auth_kwallet-1-0-1.9.5-3.2
subversion-1.9.5-3.2
subversion-bash-completion-1.9.5-3.2
subversion-devel-1.9.5-3.2
subversion-perl-1.9.5-3.2
subversion-python-1.9.5-3.2
subversion-python-ctypes-1.9.5-3.2
subversion-ruby-1.9.5-3.2
subversion-server-1.9.5-3.2
subversion-tools-1.9.5-3.2
libsvn_auth_gnome_keyring-1-0-1.9.5-3.2 as a component of openSUSE Leap 42.2
libsvn_auth_kwallet-1-0-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-bash-completion-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-devel-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-perl-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-python-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-python-ctypes-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-ruby-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-server-1.9.5-3.2 as a component of openSUSE Leap 42.2
subversion-tools-1.9.5-3.2 as a component of openSUSE Leap 42.2
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.
CVE-2016-8734
openSUSE Leap 42.2:libsvn_auth_gnome_keyring-1-0-1.9.5-3.2
openSUSE Leap 42.2:libsvn_auth_kwallet-1-0-1.9.5-3.2
openSUSE Leap 42.2:subversion-1.9.5-3.2
openSUSE Leap 42.2:subversion-bash-completion-1.9.5-3.2
openSUSE Leap 42.2:subversion-devel-1.9.5-3.2
openSUSE Leap 42.2:subversion-perl-1.9.5-3.2
openSUSE Leap 42.2:subversion-python-1.9.5-3.2
openSUSE Leap 42.2:subversion-python-ctypes-1.9.5-3.2
openSUSE Leap 42.2:subversion-ruby-1.9.5-3.2
openSUSE Leap 42.2:subversion-server-1.9.5-3.2
openSUSE Leap 42.2:subversion-tools-1.9.5-3.2
low
3.5
AV:N/AC:M/Au:S/C:N/I:N/A:P
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2016-12/msg00061.html
https://www.suse.com/security/cve/CVE-2016-8734.html
CVE-2016-8734
https://bugzilla.suse.com/1011552
SUSE Bug 1011552