Hello,
Do you plan to release mod Subversion (mod_svn) 1.8.11 VC11, X64 in the near future?
Looking for it following a security advisory from Secunia: http://secunia.com/advisories/61131/ (http://secunia.com/advisories/61131/)
Source changes: http://svn.apache.org/repos/asf/subversion/branches/1.8.x/CHANGES (http://svn.apache.org/repos/asf/subversion/branches/1.8.x/CHANGES)
Thank you in advance
Daniel
Hi Daniel,
I can't view the secunia stuff, cause I have no login. What is important to build that new version?
Cheers
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module will crash when it
receives a REPORT request for some invalid formatted special URIs.
This can lead to a DoS. There are no known instances of this problem
being exploited in the wild.
Severity:
=========
CVSSv2 Base Score: 5.0
CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
We consider this to be a medium risk vulnerability. Repositories which
allow for anonymous reads will be vulnerable without authentication.
Unfortunately, no special configuration is required and all mod_dav_svn
servers are vulnerable.
A remote attacker may be able to crash a Subversion server. Many Apache
servers will respawn the listener processes, but a determined attacker
will be able to crash these processes as they appear, denying service to
legitimate users. Servers using threaded MPMs will close the connection
on other clients being served by the same process that services the
request from the attacker. :P In either case there is an increased
processing impact of restarting a process and the cost of per process
caches being lost.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.8.11. Users of
Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
No known workarounds are available.
References:
===========
CVE-2014-3580 (Subversion)
I see! Will build that this week. Sorry for the delay, but holidays are for family.
The binaries are now on the download page
Quote from: mario on January 11, 2015, 06:40:39 PM
The binaries are now on the download page
Thank you very much!
I will install them later today.