ssh vulnerability that has potential impacts to Subversion users
OpenSSH released a fix for a memory corruption with AES-GCM ciphers in OpenSSH 6.2 and 6.3. Their advisory is here: http://www.openssh.com/txt/gcmrekey.adv If you're using Subversion in a svn+ssh:// configuration that restrictions on the command being run using the command field in the authorized_keys file it may be possible to bypass this restriction. This Subversion configuration is described in the SVN Book here: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
Re: Issues with mod_dav in httpd 2.2.25 and 2.4.6
On 11/7/13 9:46 PM, Ben Reser wrote: > I believe some binary packages have included these patches already. But I'm > not sure which ones have and have not. Hopefully those vendors can respond > here to note that. Note that the patches are against httpd and not SVN so if > the binary package you're using does not include Apache httpd and just uses > the > httpd included with your OS/distribution then it's up to the OS/distribution > to > have patched (which they likely have not). I can confirm that the Windows and Solaris binaries provided by WANdisco do include fixes for these issues. Binaries for other platforms do not include httpd and use the OS or distribution provided httpd. Note that (and I suspect this is probably true for other binaries) these binaries are patched by removing the changes that introduced the regressions in httpd. The patches included earlier in this thread actually fix the regressions without removing the beneficial changes added in the newer httpd releases. For use with SVN the difference is not significant unless you are using DAV clients other than Subversion with the same copy of httpd.
Re: NOT RESOLVED: SVN copy that worked in 1.8.0 now fails with (424 FailedDependency)
On 11/7/13 9:55 PM, Ben Reser wrote: > Putting my own corporate hat on for a moment here. WANdisco binaries that > come > with httpd should be patched as well. I need to ask the individual that > builds > them to verify for sure. If you find that they are not let me know and I'll > see that this changes. You can find the WANdisco binaries here for free > download: > http://www.wandisco.com/subversion/download I have confirmed that the WANDisco binaries for Windows and Solaris include httpd and have been patched. Other platforms do not include Apache httpd but use the one already on the host OS/distribution.
SVN deny update (not read and write)
Hello to all, This is Baris, I am totally new, so please help me... I wonder if I could just deny update right to all after writing a record into subversion... I mean; a user will have a right to write into it but after writing done, can I deny the update right? or something like this... Kind regards...
Re: svnadmin hotcopy losing revprops
"Matthews, David" writes: > Thanks for your response (although it doesn't seem to have made it > to the archive yet - perhaps because I used google groups?). Yes, my reply went to google groups and was bounced because I'm not subscribed to the google group. > It's good to know that the problem is reproducible. > I'll go back to using 1.8.3 for the moment. > > Do you think this bug needs advertising more widely somehow? I've raised issue 4448 http://subversion.tigris.org/issues/show_bug.cgi?id=4448 > Our backup procedure relies on hotcopy and, if I hadn't discovered > this during my testing, we could have ended up having no useable > backups which is a scary thought. -- Philip Martin | Subversion Committer WANdisco // *Non-Stop Data*
RE: svnadmin hotcopy losing revprops
> -Original Message- > From: Philip Martin [mailto:philip.mar...@wandisco.com] > Sent: 08 November 2013 10:19 > To: Matthews, David > Cc: subversion_us...@googlegroups.com > Subject: Re: svnadmin hotcopy losing revprops > > dpm writes: > > > I'm using svn 1.8.4 on RHEL 6.3 (we're in the process of trying to upgrade > > from svn 1.6 to 1.8). > > However, the svnadmin hotcopy command doesn't appear to be working > > correctly with the > > repositories I've copied over from our 1.6 server - most of the db/revprop > > directories are missing. > > I can reproduce this, hotcopy fails to copy some of the revprops > corresponding to packed revisions when the repository is 1.7 > or earlier > format: > > svnadmin create repo --compatible-version 1.7 > perl -i -pe s/1000/10/ repo/db/format > for i in `seq 0 75`;do echo $i >> x.x ; svnmucc -mm put x.x > file://`pwd`/repo/f ; done > svnadmin pack repo > svnadmin hotcopy repo repo2 > > The bug was introduced to 1.8 by r1520723 and is still > present on trunk. Thanks for your response (although it doesn't seem to have made it to the archive yet - perhaps because I used google groups?). It's good to know that the problem is reproducible. I'll go back to using 1.8.3 for the moment. Do you think this bug needs advertising more widely somehow? Our backup procedure relies on hotcopy and, if I hadn't discovered this during my testing, we could have ended up having no useable backups which is a scary thought. Thanks, David Matthews
Re: Issues with mod_dav in httpd 2.2.25 and 2.4.6
On 8 November 2013 09:46, Ben Reser wrote: > The current releases of httpd (at the time of writing this email) have two > issues when used with Subversion. At this point httpd doesn't release very > often leaving some users with an unfortunate choice to leave their httpd > unpatched from some security issues fixed by those releases or to deal with > these additional bugs introduced in recent versions of httpd. > > In order to help the end users I've put together some patches (that should be > included in the next releases of Apache httpd) that resolve these issues. > > * PR 55397 : ABI change in mod_dav causes failures with older versions of SVN > https://issues.apache.org/bugzilla/show_bug.cgi?id=55397 > [...] > * PR 55306 : COPY fails when source is locked > https://issues.apache.org/bugzilla/show_bug.cgi?id=55306 > Hi Ben, Thanks for great summary on these problems! > > I believe some binary packages have included these patches already. But I'm > not sure which ones have and have not. Hopefully those vendors can respond > here to note that. VisualSVN Server distribution includes both mentioned patches since version 2.6.5: http://www.visualsvn.com/server/download/ -- Ivan Zhakov CTO | VisualSVN | http://www.visualsvn.com
Re: Issues with mod_dav in httpd 2.2.25 and 2.4.6
Hello, I've just replied to the related thread and noticed this one. VisualSVN Server has the patch applied since 2.6.5 version: http://www.visualsvn.com/server/changes/#v2.6.5 On Fri, Nov 8, 2013 at 9:46 AM, Ben Reser wrote: > The current releases of httpd (at the time of writing this email) have two > issues when used with Subversion. At this point httpd doesn't release very > often leaving some users with an unfortunate choice to leave their httpd > unpatched from some security issues fixed by those releases or to deal with > these additional bugs introduced in recent versions of httpd. > > In order to help the end users I've put together some patches (that should be > included in the next releases of Apache httpd) that resolve these issues. > > * PR 55397 : ABI change in mod_dav causes failures with older versions of SVN > https://issues.apache.org/bugzilla/show_bug.cgi?id=55397 > > This issue presents itself when the client or the server are 1.6.x or older > (specifically that they do not support HTTPv2). Users will see failures when > trying to commit changes to paths that have URI unsafe characters in their > names (e.g. paths with spaces). This will show up as an error about > "Unable to PUT new contents for /path" in the httpd error logs. > > Patches: > 2.4.x: https://people.apache.org/~breser/httpd/2.4.x/patches/pr55397.patch > 2.2.x: https://people.apache.org/~breser/httpd/2.2.x/patches/pr55397.patch > > * PR 55306 : COPY fails when source is locked > https://issues.apache.org/bugzilla/show_bug.cgi?id=55306 > > This issue presents itself with an 424 Failed Dependency when the source that > you're copying is locked with `svn lock`. > > Patches: > 2.4.x: https://people.apache.org/~breser/httpd/2.4.x/patches/pr55306.patch > 2.2.x: https://people.apache.org/~breser/httpd/2.2.x/patches/pr55306.patch > > I believe some binary packages have included these patches already. But I'm > not sure which ones have and have not. Hopefully those vendors can respond > here to note that. Note that the patches are against httpd and not SVN so if > the binary package you're using does not include Apache httpd and just uses > the > httpd included with your OS/distribution then it's up to the OS/distribution > to > have patched (which they likely have not). -- With best regards, Pavel Lyalyakin VisualSVN Team
Re: NOT RESOLVED: SVN copy that worked in 1.8.0 now fails with (424 FailedDependency)
Hello, > > I'd suggest going with a binary produced by one of the > > vendors. I think several have already patched. Mark > > mentioned that Collab.Net's packages are patched. > > I've downloaded those, too, but the installation hasn't "taken" yet. I'll > have to edit the httpd.conf a bit more carefully to make things work with it. > (At present, I'm getting an error 1, which I'm sure is due to a > misconfiguration. I'll RTFM before posting any more about that. Quite > likely, I should have tried the vanilla install first, then modified to suit.) VisualSVN Server is patched to fix the bug since version 2.6.5 (August 30, 2013): http://www.visualsvn.com/server/changes/#v2.6.5 You can get the latest version at http://www.visualsvn.com/server/download/ Thank you. -- With best regards, Pavel Lyalyakin VisualSVN Team
