Author: dsahlberg
Date: Sun Dec 8 23:35:01 2024
New Revision: 1922381
URL: http://svn.apache.org/viewvc?rev=1922381&view=rev
Log:
In site/staging:
Prepare for 1.14.5
* doap.rdf,
docs/release-notes/release-history.html,
download.html,
index.html,
news.html: Update for the 1.14.5 release
* security/CVE-2024-46901-advisory.txt,
staging/security/CVE-2024-46901-advisory.txt.asc: New
* staging/security/index.html: Add CVE-2024-46901
Added:
subversion/site/staging/security/CVE-2024-46901-advisory.txt
subversion/site/staging/security/CVE-2024-46901-advisory.txt.asc
Modified:
subversion/site/staging/doap.rdf
subversion/site/staging/docs/release-notes/release-history.html
subversion/site/staging/download.html
subversion/site/staging/index.html
subversion/site/staging/news.html
subversion/site/staging/security/index.html
Modified: subversion/site/staging/doap.rdf
URL:
http://svn.apache.org/viewvc/subversion/site/staging/doap.rdf?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/doap.rdf (original)
+++ subversion/site/staging/doap.rdf Sun Dec 8 23:35:01 2024
@@ -37,8 +37,8 @@
<release>
<Version>
<name>Current 1.14 LTS release</name>
- <created>2024-10-08</created>
- <revision>1.14.4</revision>
+ <created>2024-12-08</created>
+ <revision>1.14.5</revision>
</Version>
</release>
<repository>
Modified: subversion/site/staging/docs/release-notes/release-history.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/docs/release-notes/release-history.html?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/docs/release-notes/release-history.html (original)
+++ subversion/site/staging/docs/release-notes/release-history.html Sun Dec 8
23:35:01 2024
@@ -32,6 +32,9 @@ Subversion 2.0.</p>
<ul>
<li>
+ <b>Subversion 1.14.5</b> (Sunday, 8 December 2024): Bugfix/security
release.
+ </li>
+ <li>
<b>Subversion 1.14.4</b> (Tuesday, 8 October 2024): Bugfix/security
release.
</li>
<li>
Modified: subversion/site/staging/download.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/download.html?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/download.html (original)
+++ subversion/site/staging/download.html Sun Dec 8 23:35:01 2024
@@ -95,7 +95,7 @@ Other mirrors:
title="Link to this section">¶</a>
</h3>
-<p style="font-size: 150%; text-align: center;">Apache Subversion 1.14.4
LTS</p>
+<p style="font-size: 150%; text-align: center;">Apache Subversion 1.14.5
LTS</p>
<table class="centered">
<tr>
<th>File</th>
@@ -104,20 +104,20 @@ Other mirrors:
<th>PGP Public Keys</th>
</tr>
<tr>
- <td><a
href="[preferred]subversion/subversion-1.14.4.tar.bz2">subversion-1.14.4.tar.bz2</a></td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.tar.bz2.sha512";>SHA-512</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.tar.bz2.asc";>PGP
signatures</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.KEYS";>PGP
keyring</a>]</td>
+ <td><a
href="[preferred]subversion/subversion-1.14.5.tar.bz2">subversion-1.14.5.tar.bz2</a></td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.tar.bz2.sha512";>SHA-512</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.tar.bz2.asc";>PGP
signatures</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.KEYS";>PGP
keyring</a>]</td>
</tr><tr>
- <td><a
href="[preferred]subversion/subversion-1.14.4.tar.gz">subversion-1.14.4.tar.gz</a></td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.tar.gz.sha512";>SHA-512</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.tar.gz.asc";>PGP
signatures</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.KEYS";>PGP
keyring</a>]</td>
+ <td><a
href="[preferred]subversion/subversion-1.14.5.tar.gz">subversion-1.14.5.tar.gz</a></td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.tar.gz.sha512";>SHA-512</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.tar.gz.asc";>PGP
signatures</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.KEYS";>PGP
keyring</a>]</td>
</tr><tr>
- <td><a
href="[preferred]subversion/subversion-1.14.4.zip">subversion-1.14.4.zip</a></td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.zip.sha512";>SHA-512</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.zip.asc";>PGP
signatures</a>]</td>
- <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.4.KEYS";>PGP
keyring</a>]</td>
+ <td><a
href="[preferred]subversion/subversion-1.14.5.zip">subversion-1.14.5.zip</a></td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.zip.sha512";>SHA-512</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.zip.asc";>PGP
signatures</a>]</td>
+ <td>[<a
href="https://www.apache.org/dist/subversion/subversion-1.14.5.KEYS";>PGP
keyring</a>]</td>
</tr>
</table>
Modified: subversion/site/staging/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/index.html?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/index.html (original)
+++ subversion/site/staging/index.html Sun Dec 8 23:35:01 2024
@@ -70,6 +70,31 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
+<div class="h3" id="news-20241208">
+<h3>2024-12-08 — Apache Subversion 1.14.5 Released
+ <a class="sectionlink" href="#news-20241208"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.14.5.</p>
+<p>
+This release contains a fix for a security issue:
+ <a href="/security/CVE-2024-46901-advisory.txt">CVE-2024-46901</a>
+</p>
+<p>
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable.
+ Please see the
+<!-- until release announcement e-mail <a
href="https://lists.apache.org/thread/glvmq598wv71thrd9vmbm0q5w6n3124w";
+ >release announcement</a> and the -->
+ <a href="/docs/release-notes/1.14"
+ >release notes</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20241208 -->
+
<div class="h3" id="news-20241008">
<h3>2024-10-08 — Apache Subversion 1.14.4 Released
<a class="sectionlink" href="#news-20241008"
@@ -115,24 +140,6 @@ This release contains a fix for a securi
</div> <!-- #news-20231228-1.14.3 -->
-<div class="h3" id="news-20230924">
-<h3>2023-09-24 — Apache Subversion 1.10.x end of life
- <a class="sectionlink" href="#news-20230924"
- title="Link to this section">¶</a>
-</h3>
-
-<p>The Subversion 1.10.x line is end of life (<abbr title="End Of
Life">EOL</abbr>).
-It was released on 2018-04-13 and was supported for the last four years
-according to the LTS release life-cycle (see <a
-href="/roadmap.html#release-planning">How we plan
-releases</a>). We recommend everyone to update to the current LTS release <a
-href="/download.cgi#recommended-release">1.14.2</a> as soon as practically
-possible since we've stopped accepting bug reports against 1.10.x and will not
-make any more 1.10.x releases. The last 1.10.x release (1.10.8) was made
-on 2022-04-12 and is available to anyone who can't update to 1.14.</p>
-
-</div> <!-- news-20230924 -->
-
<p style="font-style: italic; text-align:
right;">[Click <a href="/news.html">here</a> to see all News
items.]</p>
Modified: subversion/site/staging/news.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/news.html?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/news.html (original)
+++ subversion/site/staging/news.html Sun Dec 8 23:35:01 2024
@@ -26,6 +26,31 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20241208">
+<h3>2024-12-08 — Apache Subversion 1.14.5 Released
+ <a class="sectionlink" href="#news-20241208"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>We are pleased to announce the release of Apache Subversion 1.14.5.</p>
+<p>
+This release contains a fix for a security issue:
+ <a href="/security/CVE-2024-46901-advisory.txt">CVE-2024-46901</a>
+</p>
+<p>
+ This is the most complete Subversion release to date, and we encourage
+ users of Subversion to upgrade as soon as reasonable.
+ Please see the
+<!-- until e-mail <a
href="https://lists.apache.org/thread/glvmq598wv71thrd9vmbm0q5w6n3124w";
+ >release announcement</a> and the -->
+ <a href="/docs/release-notes/1.14"
+ >release notes</a> for more information about this release.</p>
+
+<p>To get this release from the nearest mirror, please visit our
+ <a href="/download.cgi#recommended-release">download page</a>.</p>
+
+</div> <!-- #news-20241208 -->
+
<div class="h3" id="news-20241008">
<h3>2024-10-08 — Apache Subversion 1.14.4 Released
<a class="sectionlink" href="#news-20241008"
Added: subversion/site/staging/security/CVE-2024-46901-advisory.txt
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2024-46901-advisory.txt?rev=1922381&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2024-46901-advisory.txt (added)
+++ subversion/site/staging/security/CVE-2024-46901-advisory.txt Sun Dec 8
23:35:01 2024
@@ -0,0 +1,253 @@
+ mod_dav_svn denial-of-service via control characters in paths
+
+Summary:
+========
+
+ It has been discovered that the patch for CVE-2013-1968 was incomplete
+ and unintentionally left mod_dav_svn vulnerable to control characters
+ in filenames.
+
+ If a path or a revision-property which contains control characters is
+ committed to a repository then SVN operations served by mod_dav_svn
+ can be disrupted.
+
+Known vulnerable:
+=================
+
+ Subversion mod_dav_svn servers through 1.14.4 (inclusive).
+
+Known fixed:
+============
+
+ Servers running Subversion 1.14.5
+
+Details:
+========
+
+ If a path which contains control characters is committed to a repository
+ then SVN operations served by mod_dav_svn can be disrupted by encoding
+ errors raised from the XML library.
+
+ This leads to disruption for users accessing the repository via HTTP.
+ Affected repositories can be repaired (see "Recommendations" below).
+ However, restoring proper operation might take some time because a
+ full dump/load cycle may be required.
+
+ Local repositories and svnserve repository servers (accessed via a
+ file://, svn://, or svn+ssh:// URL) are not affected. In these cases,
+ control characters have been rejected since CVE-2013-1968 was patched
+ in Subversion 1.6.21 and Subversion 1.7.9.
+
+ Known symptoms of the problem include:
+
+ 1) 'svn checkout', 'svnsync', and other operations that attempt to
+ read the affected revision may produce errors like:
+
+ svn: E175009: The XML response contains invalid XML
+ svn: E130003: Malformed XML: not well-formed (invalid token)
+
+ 2) Attempts to browse affected files or directories via the web
+ interface will cause the server to return:
+
+ 500 Internal Server Error
+
+ Apache Subversion clients have always rejected filenames with control
+ characters, so control characters cannot be introduced with stock
+ Subversion clients. They could, however, be triggered by custom
+ malicious Subversion clients or by third-party client implementations.
+
+ Servers updated to Subversion 1.14.5 will reject control characters in
+ all cases.
+
+Severity:
+=========
+
+ CVSSv3.1 Base Score: 3.1
+ CVSSv3.1 Base Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
+
+ A remote authenticated attacker with commit access may be able to
+ corrupt repositories on a Subversion server and cause disruption for
+ other users.
+
+ Configurations that allow anonymous write access to the repository
+ will be vulnerable to this without authentication.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade their servers to a known fixed
+ release of Subversion.
+
+ Users who are unable to upgrade may apply the patch included below.
+
+ New Subversion packages can be found at:
+ http://subversion.apache.org/packages.html
+
+ Repositories affected by this problem can be repaired manually:
+
+ Bad revision properties can be repaired by using svn propedit over
+ the file://, svn:// or svn+ssh:// protocols.
+
+ Bad paths which have entered a repository need to be removed from
+ history with a dump/load cycle, using svnadmin dump --exclude to
+ filter out the bad paths, and loading the result into a fresh
+ repository with svnadmin load.
+
+References:
+===========
+
+ CVE-2024-46901 (Subversion)
+ CVE-2013-1968 (Subversion)
+
+ XML Characters: https://www.w3.org/TR/xml/#charsets
+
+Reported by:
+============
+
+ HaoZi, WordPress China
+
+Patches:
+========
+
+ Patch against Subversion 1.14.4:
+
+[[[
+Index: subversion/include/private/svn_repos_private.h
+===================================================================
+--- subversion/include/private/svn_repos_private.h (revision 1921550)
++++ subversion/include/private/svn_repos_private.h (working copy)
+@@ -390,6 +390,14 @@ svn_repos__get_dump_editor(const svn_delta_editor_
+ const char *update_anchor_relpath,
+ apr_pool_t *pool);
+
++/* Validate that the given PATH is a valid pathname that can be stored in
++ * a Subversion repository, according to the name constraints used by the
++ * svn_repos_* layer.
++ */
++svn_error_t *
++svn_repos__validate_new_path(const char *path,
++ apr_pool_t *scratch_pool);
++
+ #ifdef __cplusplus
+ }
+ #endif /* __cplusplus */
+Index: subversion/libsvn_repos/commit.c
+===================================================================
+--- subversion/libsvn_repos/commit.c (revision 1921550)
++++ subversion/libsvn_repos/commit.c (working copy)
+@@ -308,8 +308,7 @@ add_file_or_directory(const char *path,
+ svn_boolean_t was_copied = FALSE;
+ const char *full_path, *canonicalized_path;
+
+- /* Reject paths which contain control characters (related to issue #4340).
*/
+- SVN_ERR(svn_path_check_valid(path, pool));
++ SVN_ERR(svn_repos__validate_new_path(path, pool));
+
+ SVN_ERR(svn_relpath_canonicalize_safe(&canonicalized_path, NULL, path,
+ pool, pool));
+Index: subversion/libsvn_repos/repos.c
+===================================================================
+--- subversion/libsvn_repos/repos.c (revision 1921550)
++++ subversion/libsvn_repos/repos.c (working copy)
+@@ -2092,3 +2092,13 @@ svn_repos__fs_type(const char **fs_type,
+ svn_dirent_join(repos_path, SVN_REPOS__DB_DIR, pool),
+ pool);
+ }
++
++svn_error_t *
++svn_repos__validate_new_path(const char *path,
++ apr_pool_t *scratch_pool)
++{
++ /* Reject paths which contain control characters (related to issue #4340).
*/
++ SVN_ERR(svn_path_check_valid(path, scratch_pool));
++
++ return SVN_NO_ERROR;
++}
+Index: subversion/mod_dav_svn/lock.c
+===================================================================
+--- subversion/mod_dav_svn/lock.c (revision 1921550)
++++ subversion/mod_dav_svn/lock.c (working copy)
+@@ -36,6 +36,7 @@
+ #include "svn_pools.h"
+ #include "svn_props.h"
+ #include "private/svn_log.h"
++#include "private/svn_repos_private.h"
+
+ #include "dav_svn.h"
+
+@@ -717,6 +718,12 @@ append_locks(dav_lockdb *lockdb,
+
+ /* Commit a 0-byte file: */
+
++ if ((serr = svn_repos__validate_new_path(resource->info->repos_path,
++ resource->pool)))
++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
++ "Request specifies an invalid path.",
++ resource->pool);
++
+ if ((serr = dav_svn__get_youngest_rev(&rev, repos, resource->pool)))
+ return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
+ "Could not determine youngest revision",
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion/mod_dav_svn/repos.c (revision 1921550)
++++ subversion/mod_dav_svn/repos.c (working copy)
+@@ -2928,6 +2928,16 @@ open_stream(const dav_resource *resource,
+
+ if (kind == svn_node_none) /* No existing file. */
+ {
++ serr = svn_repos__validate_new_path(resource->info->repos_path,
++ resource->pool);
++
++ if (serr != NULL)
++ {
++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
++ "Request specifies an invalid path.",
++ resource->pool);
++ }
++
+ serr = svn_fs_make_file(resource->info->root.root,
+ resource->info->repos_path,
+ resource->pool);
+@@ -4120,6 +4130,14 @@ create_collection(dav_resource *resource)
+ return err;
+ }
+
++ if ((serr = svn_repos__validate_new_path(resource->info->repos_path,
++ resource->pool)) != NULL)
++ {
++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
++ "Request specifies an invalid path.",
++ resource->pool);
++ }
++
+ if ((serr = svn_fs_make_dir(resource->info->root.root,
+ resource->info->repos_path,
+ resource->pool)) != NULL)
+@@ -4194,6 +4212,12 @@ copy_resource(const dav_resource *src,
+ return err;
+ }
+
++ serr = svn_repos__validate_new_path(dst->info->repos_path, dst->pool);
++ if (serr)
++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
++ "Request specifies an invalid path.",
++ dst->pool);
++
+ src_repos_path = svn_repos_path(src->info->repos->repos, src->pool);
+ dst_repos_path = svn_repos_path(dst->info->repos->repos, dst->pool);
+
+@@ -4430,6 +4454,12 @@ move_resource(dav_resource *src,
+ if (err)
+ return err;
+
++ serr = svn_repos__validate_new_path(dst->info->repos_path, dst->pool);
++ if (serr)
++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
++ "Request specifies an invalid path.",
++ dst->pool);
++
+ /* Copy the src to the dst. */
+ serr = svn_fs_copy(src->info->root.root, /* the root object of src rev*/
+ src->info->repos_path, /* the relative path of src */
+]]]
Added: subversion/site/staging/security/CVE-2024-46901-advisory.txt.asc
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2024-46901-advisory.txt.asc?rev=1922381&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2024-46901-advisory.txt.asc (added)
+++ subversion/site/staging/security/CVE-2024-46901-advisory.txt.asc Sun Dec 8
23:35:01 2024
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQR9yKe/N0eP9I4z6F4rSCK0tjQLrAUCZ1Yo9AAKCRArSCK0tjQL
+rPznAPsFjMzG+SF0V/4RR5VohLUvtFrEj9I3mvQJufuJKLtP0AD/S2PmUZG00oTU
+INC5C/f+owxGwf77W9cdJzKpzXq1PAw=
+=dHDH
+-----END PGP SIGNATURE-----
Modified: subversion/site/staging/security/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/index.html?rev=1922381&r1=1922380&r2=1922381&view=diff
==============================================================================
--- subversion/site/staging/security/index.html (original)
+++ subversion/site/staging/security/index.html Sun Dec 8 23:35:01 2024
@@ -339,6 +339,13 @@ clients using http(s)://</td>
<td>Subversion command line argument injection on Windows platforms</td>
</tr>
+<tr>
+ <td><a href="CVE-2024-46901-advisory.txt">CVE-2024-46901-advisory.txt</a>
+ [<a href="CVE-2024-46901-advisory.txt.asc">PGP</a>]</td>
+ <td>1.0.0-1.14.4</td>
+ <td>mod_dav_svn denial-of-service via control characters in paths</td>
+</tr>
+
</tbody>
</table>
