CHANGES

hartmannathan Thu, 07 Dec 2023 21:40:26 -0800

Author: hartmannathan
Date: Fri Dec  8 05:40:20 2023
New Revision: 1914449

URL: http://svn.apache.org/viewvc?rev=1914449&view=rev
Log:
* CHANGES (1.14.x): Merge missing revs from trunk


Modified:
    subversion/branches/1.14.x/CHANGES   (contents, props changed)

Modified: subversion/branches/1.14.x/CHANGES
URL: 
http://svn.apache.org/viewvc/subversion/branches/1.14.x/CHANGES?rev=1914449&r1=1914448&r2=1914449&view=diff
==============================================================================
--- subversion/branches/1.14.x/CHANGES (original)
+++ subversion/branches/1.14.x/CHANGES Fri Dec  8 05:40:20 2023
@@ -38,7 +38,6 @@ Version 1.14.2
 (12 Apr 2022, from /branches/1.14.x)
  User-visible changes:
   - Client-side bugfixes:
-    * Don't show unreadable copyfrom paths in 'svn log -v'  (r1899227)
     * Fix -r option documentation for some svnadmin subcommands (r1896877)
     * Fix error message encoding when system() call fails (r1887641, r1890013)
     * Fix assertion failure in conflict resolver (r1892470, -471, -541)
@@ -47,7 +46,8 @@ Version 1.14.2
     * Support multiple working copy formats (1.8-onward, 1.15) (issue #????)
 
   - Server-side bugfixes:
-    * Fix use-after-free of object-pools when running in httpd (issue #4880)
+    * Fix CVE-2021-28544: authz protected copyfrom paths regression (r1899227)
+    * Fix CVE-2022-24070: use-after-free in mod_dav_svn (issue #4880)
  
  Developer-visible changes:
     * Add test coverage for CVE-2020-17525 (r1883838 et al)
@@ -326,11 +326,11 @@ Version 1.10.8
 (12 Apr 2022, from /branches/1.10.x)
  User-visible changes:
   - Client-side bugfixes:
-    * Don't show unreadable copyfrom paths in 'svn log -v'  (r1899227)
     * Fix merge assertion failure in svn_sort__array_insert (issue #4840)
 
   - Server-side bugfixes:
-    * Fix use-after-free of object-pools when running in httpd (issue #4880)
+    * Fix CVE-2021-28544: authz protected copyfrom paths regression (r1899227)
+    * Fix CVE-2022-24070: use-after-free in mod_dav_svn (issue #4880)
     * Fix authz doesn't combine global and repository rules (issue #4762)
 
  Developer-visible changes:
@@ -2486,7 +2486,7 @@ http://svn.apache.org/repos/asf/subversi
     * svnadmin upgrade: fix data loss when cancelling in last stage (r1494298)
     * mod_dav_svn: fix incorrect path canonicalization (r1503528)
             See CVE-2013-4131, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-4131-advisory.txt
 
   - Other tool improvements and bugfixes:
     * fsfs-stats (tool): resolve segfault when passing invalid path (r1492164)
@@ -3083,12 +3083,12 @@ http://svn.apache.org/repos/asf/subversi
   - Server-side bugfixes:
     * mod_dav_svn: fix incorrect path canonicalization (r1503528)
             See CVE-2013-4131, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-4131-advisory.txt
 
   - Other tool improvements and bugfixes:
     * fix argument processing in contrib hook scripts (r1485350)
             See CVE-2013-2088, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-2088-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-2088-advisory.txt
 
  Developer-visible changes:
   - Bindings:
@@ -3115,10 +3115,10 @@ http://svn.apache.org/repos/asf/subversi
   - Server-side bugfixes:
     * fix FSFS repository corruption due to newline in filename (issue #4340)
             See CVE-2013-1968, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-1968-advisory.txt
     * fix svnserve exiting when a client connection is aborted (r1482759)
             See CVE-2013-2112, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-2112-advisory.txt
     * fix svnserve memory use after clear (issue #4365)
     * fix repository corruption on power/disk failure on Windows (r1483781)
 
@@ -3146,7 +3146,7 @@ http://svn.apache.org/repos/asf/subversi
   - Server-side bugfixes:
       See CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849,
       and CVE-2013-1884, and descriptive advisories at
-            http://subversion.apache.org/security/
+            https://subversion.apache.org/security/
     * svnserve will log the replayed rev not the low-water rev. (r1461278)
     * mod_dav_svn will omit some property values for activity urls (r1453780)
     * fix an assertion in mod_dav_svn when acting as a proxy on / (issue #4272)
@@ -3486,7 +3486,7 @@ Version 1.7.0
 http://svn.apache.org/repos/asf/subversion/tags/1.7.0
 
 See the 1.7 release notes for a more verbose overview of the changes since
-the 1.6 release:  http://subversion.apache.org/docs/release-notes/1.7.html
+the 1.6 release:  https://subversion.apache.org/docs/release-notes/1.7.html
 
  User-visible changes:
   - General:
@@ -3685,7 +3685,7 @@ http://svn.apache.org/repos/asf/subversi
     * fix FSFS repository corruption due to newline in filename (issue #4340)
     * fix svnserve exiting when a client connection is aborted (r1482759)
             See CVE-2013-2112, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
+            https://subversion.apache.org/security/CVE-2013-2112-advisory.txt
 
   - Other tool improvements and bugfixes:
     * fix argument processing in contrib hook scripts (r1485350)
@@ -3783,7 +3783,7 @@ http://svn.apache.org/repos/asf/subversi
     * fixed: file externals cause mixed-revision working copies (issue #3816)
     * fix crash in mod_dav_svn with GETs of baselined resources (r1104126)
             See CVE-2011-1752, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
+            https://subversion.apache.org/security/CVE-2011-1752-advisory.txt
     * fixed: write-through proxy could directly commit to slave (r917523)
     * detect a particular corruption condition in FSFS (r1100213)
     * improve error message when clients refer to unknown revisions (r939000)
@@ -3796,10 +3796,10 @@ http://svn.apache.org/repos/asf/subversi
     * server-side validation of svn:mergeinfo syntax during commit (issue 
#3895)
     * fix remotely triggerable mod_dav_svn DoS (r1130303)
             See CVE-2011-1783, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
+            https://subversion.apache.org/security/CVE-2011-1783-advisory.txt
     * fix potential leak of authz-protected file contents (r1130303)
             See CVE-2011-1921, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
+            https://subversion.apache.org/security/CVE-2011-1921-advisory.txt
 
   Developer-visible changes:
     * fix reporting FS-level post-commit processing errors (r1104098)
@@ -3815,7 +3815,7 @@ http://svn.apache.org/repos/asf/subversi
    * more improvement to the 'blame -g' memory leak from 1.6.15 (r1041438)
    * avoid a crash in mod_dav_svn when using locks (r1071239, -307)
             See CVE-2011-0715, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2011-0715-advisory.txt
+            https://subversion.apache.org/security/CVE-2011-0715-advisory.txt
    * avoid unnecessary globbing for performance (r1068988)
    * don't add tree conflicts when one already exists (issue #3486)
    * fix potential crash when requesting mergeinfo (r902467)
@@ -3890,7 +3890,7 @@ http://svn.apache.org/repos/asf/subversi
    * fixed: record-only merges create self-referential mergeinfo (issue #3646)
    * fixed: 'SVNPathAuthz short_circuit' unsolicited read access (issue #3695)
             See CVE-2010-3315, and descriptive advisory at
-            http://subversion.apache.org/security/CVE-2010-3315-advisory.txt
+            https://subversion.apache.org/security/CVE-2010-3315-advisory.txt
    * make 'svnmucc propset' handle existing and non-existing URLs (r1000607)
    * add new 'propsetf' subcommand to svnmucc (r1000612)
    * warn about copied dirs during 'svn ci' with limited depth (r1002094)
@@ -4066,7 +4066,7 @@ http://svn.apache.org/repos/asf/subversi
  User-visible changes:
   * fixed: heap overflow vulnerability on server and client
            See CVE-2009-2411, and descriptive advisory at
-           http://subversion.apache.org/security/CVE-2009-2411-advisory.txt
+           https://subversion.apache.org/security/CVE-2009-2411-advisory.txt
 
 
 Version 1.6.3
@@ -4302,7 +4302,7 @@ http://svn.apache.org/repos/asf/subversi
   * improve memory performance in 'svn merge' (issue #3393)
   * fixed: 'SVNPathAuthz short_circuit' unsolicited read access (issue #3695)
            See CVE-2010-3315, and descriptive advisory at
-           http://subversion.apache.org/security/CVE-2010-3315-advisory.txt
+           https://subversion.apache.org/security/CVE-2010-3315-advisory.txt
   * prevent crash in mod_dav_svn when using SVNParentPath (r1033166)
   * limit memory fragmentation in svnserve (r1022675)
   * fix server-side memory leaks triggered by 'blame -g' (r1032808)
@@ -4327,7 +4327,7 @@ http://svn.apache.org/repos/asf/subversi
  User-visible changes:
   * fixed: heap overflow vulnerability on server and client
            See CVE-2009-2411, and descriptive advisory at
-           http://subversion.apache.org/security/CVE-2009-2411-advisory.txt
+           https://subversion.apache.org/security/CVE-2009-2411-advisory.txt
 
 
 Version 1.5.6
@@ -4760,7 +4760,7 @@ http://svn.apache.org/repos/asf/subversi
  User-visible changes:
  * fixed: file placement vulnerability (Win32 clients only)
           See CVE-2007-3846, and descriptive advisory at
-          http://subversion.apache.org/security/CVE-2007-3846-advisory.txt
+          https://subversion.apache.org/security/CVE-2007-3846-advisory.txt
 
 
 Version 1.4.4
@@ -5339,7 +5339,7 @@ Version 1.2.0
 http://svn.apache.org/repos/asf/subversion/tags/1.2.0
 
 See the 1.2 release notes for a more verbose overview of the changes since
-the 1.1 release:  http://subversion.apache.org/docs/release-notes/1.2.html
+the 1.1 release:  https://subversion.apache.org/docs/release-notes/1.2.html
 
  User-visible changes:
   - Client:
@@ -5635,7 +5635,7 @@ Version 1.1.0
 http://svn.apache.org/repos/asf/subversion/tags/1.1.0
 
 See the 1.1 release notes for a more verbose overview of the changes since
-1.0.x: http://subversion.apache.org/docs/release-notes/1.1.html
+1.0.x: https://subversion.apache.org/docs/release-notes/1.1.html
 
  User-visible changes:
  * new non-database repository back-end (libsvn_fs_fs)
@@ -5765,7 +5765,7 @@ http://svn.apache.org/repos/asf/subversi
  User-visible changes:
  * fixed: mod_authz_svn path and log-message metadata leaks.
           See CAN-2004-0749, and descriptive advisory at 
-          http://subversion.apache.org/security/CAN-2004-0749-advisory.txt
+          https://subversion.apache.org/security/CAN-2004-0749-advisory.txt
 
 
 Version 1.0.7

Propchange: subversion/branches/1.14.x/CHANGES
------------------------------------------------------------------------------
  Merged /subversion/trunk/CHANGES:r1899788-1899789,1903577

svn commit: r1914449 - /subversion/branches/1.14.x/CHANGES

Reply via email to