Message ID | 20220413121822.2448474-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/subversion: security bump to version 1.14.2 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - CVE-2021-28544: SVN authz protected copyfrom paths regression > Subversion servers reveal 'copyfrom' paths that should be hidden according > to configured path-based authorization (authz) rules. When a node has > been copied from a protected location, users with access to the copy can > see the `copyfrom' path of the original. This also reveals the fact that > the node was copied. Only the 'copyfrom' path is revealed; not its > contents. Both httpd and svnserve servers are vulnerable. > https://subversion.apache.org/security/CVE-2021-28544-advisory.txt > - CVE-2022-24070: Subversion's mod_dav_svn is vulnerable to memory corruption > While looking up path-based authorization rules, mod_dav_svn servers may > attempt to use memory which has already been freed. > https://subversion.apache.org/security/CVE-2022-24070-advisory.txt > Drop no longer needed patch and autoreconf, as this is now fixed upstream: > https://svn.apache.org/viewvc?view=revision&revision=1881534 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - CVE-2021-28544: SVN authz protected copyfrom paths regression > Subversion servers reveal 'copyfrom' paths that should be hidden according > to configured path-based authorization (authz) rules. When a node has > been copied from a protected location, users with access to the copy can > see the `copyfrom' path of the original. This also reveals the fact that > the node was copied. Only the 'copyfrom' path is revealed; not its > contents. Both httpd and svnserve servers are vulnerable. > https://subversion.apache.org/security/CVE-2021-28544-advisory.txt > - CVE-2022-24070: Subversion's mod_dav_svn is vulnerable to memory corruption > While looking up path-based authorization rules, mod_dav_svn servers may > attempt to use memory which has already been freed. > https://subversion.apache.org/security/CVE-2022-24070-advisory.txt > Drop no longer needed patch and autoreconf, as this is now fixed upstream: > https://svn.apache.org/viewvc?view=revision&revision=1881534 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.02.x, thanks.
diff --git a/package/subversion/0001-workaround-ac-run-ifelse.patch b/package/subversion/0001-workaround-ac-run-ifelse.patch deleted file mode 100644 index 4f229dc49b..0000000000 --- a/package/subversion/0001-workaround-ac-run-ifelse.patch +++ /dev/null @@ -1,23 +0,0 @@ -build/ac-macros/macosx.m4: workaround AC_RUN_IFELSE - -The SVN_LIB_MACHO_ITERATE macro contains an AC_RUN_IFELSE test that -doesn't work when cross-compiling. However, this macro is related to -testing Mac OS X APIs, so in the context of Buildroot, we don't care, -and the test program is not even going to build. So we simply -workaround this by turning the test into an AC_COMPILE_IFELSE. - -Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> - -Index: b/build/ac-macros/macosx.m4 -=================================================================== ---- a/build/ac-macros/macosx.m4 -+++ b/build/ac-macros/macosx.m4 -@@ -24,7 +24,7 @@ - AC_DEFUN(SVN_LIB_MACHO_ITERATE, - [ - AC_MSG_CHECKING([for Mach-O dynamic module iteration functions]) -- AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ - #include <mach-o/dyld.h> - #include <mach-o/loader.h> - ]],[[ diff --git a/package/subversion/subversion.hash b/package/subversion/subversion.hash index 534d596514..d2239b1b5b 100644 --- a/package/subversion/subversion.hash +++ b/package/subversion/subversion.hash @@ -1,5 +1,5 @@ -# From https://www.apache.org/dist/subversion/subversion-1.14.1.tar.bz2.sha512 -sha512 0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd subversion-1.14.1.tar.bz2 +# From https://www.apache.org/dist/subversion/subversion-1.14.2.tar.bz2.sha512 +sha512 20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc subversion-1.14.2.tar.bz2 # Locally calculated sha256 484aff0cfbb81155a10f903ed756e27e9fc65578c245a295bae295c4bb51eaad LICENSE diff --git a/package/subversion/subversion.mk b/package/subversion/subversion.mk index d4cc717536..b27058c024 100644 --- a/package/subversion/subversion.mk +++ b/package/subversion/subversion.mk @@ -4,7 +4,7 @@ # ################################################################################ -SUBVERSION_VERSION = 1.14.1 +SUBVERSION_VERSION = 1.14.2 SUBVERSION_SOURCE = subversion-$(SUBVERSION_VERSION).tar.bz2 SUBVERSION_SITE = https://downloads.apache.org/subversion SUBVERSION_LICENSE = Apache-2.0 @@ -20,7 +20,6 @@ SUBVERSION_DEPENDENCIES = \ zlib \ sqlite \ $(TARGET_NLS_DEPENDENCIES) -SUBVERSION_AUTORECONF = YES SUBVERSION_CONF_OPTS = \ --with-expat=$(STAGING_DIR)/usr/include:$(STAGING_DIR)/usr/lib: \ --with-apr=$(STAGING_DIR)/usr \
Fixes the following security issues: - CVE-2021-28544: SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the `copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. https://subversion.apache.org/security/CVE-2021-28544-advisory.txt - CVE-2022-24070: Subversion's mod_dav_svn is vulnerable to memory corruption While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. https://subversion.apache.org/security/CVE-2022-24070-advisory.txt Drop no longer needed patch and autoreconf, as this is now fixed upstream: https://svn.apache.org/viewvc?view=revision&revision=1881534 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- .../0001-workaround-ac-run-ifelse.patch | 23 ------------------- package/subversion/subversion.hash | 4 ++-- package/subversion/subversion.mk | 3 +-- 3 files changed, 3 insertions(+), 27 deletions(-) delete mode 100644 package/subversion/0001-workaround-ac-run-ifelse.patch