Bug 830031 (CVE-2013-4131) - VUL-0: CVE-2013-4131: subversion: Apache Subversion 1.7.11 maintenance release
Summary: VUL-0: CVE-2013-4131: subversion: Apache Subversion 1.7.11 maintenance release
Status: VERIFIED FIXED
Alias: CVE-2013-4131
Product: openSUSE 12.3
Classification: openSUSE
Component: Maintenance (show other bugs)
Version: Final
Hardware: All openSUSE 12.3
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-17 21:33 UTC by Andreas Stieger
Modified: 2013-12-13 13:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2013-07-17 21:33:44 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0

the following release is being prepared.


Version 1.7.11
(23 Jul 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.11

 User-visible changes:
  - General
    * translation updates for Simplified Chinese

  - Server-side bugfixes:
    * mod_dav_svn: fix incorrect path canonicalization (r1503528)

  - Other tool improvements and bugfixes:
    * fix argument processing in contrib hook scripts (r1485350)

 Developer-visible changes:
  - Bindings:
    * javahl: fix bug in error constructing code (r1405922)



Reproducible: Always

Steps to Reproduce:
1. svn --version
Actual Results:  
svn, version 1.7.10 (r1485443)



Expected Results:  
svn, version 1.7.11 (r1503888)
Comment 1 Andreas Stieger 2013-07-24 17:48:09 UTC 
1.7.11 and 1.8.1 releases address one security issue:
    CVE-2013-4131: mod_dav_svn assertion from requests against root path.

https://subversion.apache.org/security/CVE-2013-4131-advisory.txt

1.7.11 Maintenance requests for openSUSE 12.2 and 12.3:
https://build.opensuse.org/request/show/184222

1.8.1 SR to openSUSE:Factory:
https://build.opensuse.org/request/show/184223
Comment 2 Bernhard Wiedemann 2013-07-24 18:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (830031) was mentioned in
https://build.opensuse.org/request/show/184224 Factory / subversion
Comment 3 Marcus Meissner 2013-07-25 06:43:41 UTC 
as there is a security issue, security is tracking this.

From the advisory linked:
  Subversion 1.8.1
  Subversion 1.7.11
  svnserve (any version) is not vulnerable.
  Subversion 1.6.x is not vulnerable.

So SLE is not affected.
Comment 4 Swamp Workflow Management 2013-08-01 08:04:22 UTC 
openSUSE-SU-2013:1286-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 830031
CVE References: CVE-2013-4131
Sources used:
openSUSE 12.3 (src):    subversion-1.7.11-2.12.1
openSUSE 12.2 (src):    subversion-1.7.11-4.20.1
Comment 5 Andreas Stieger 2013-08-23 12:41:24 UTC 
updates released, closing
Comment 6 Swamp Workflow Management 2013-12-13 13:06:01 UTC 
openSUSE-SU-2013:1869-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 528714,649861,662030,713919,788015,794676,830031,836245,850747
CVE References: CVE-2010-3315,CVE-2010-4539,CVE-2010-4644,CVE-2013-1884,CVE-2013-4131,CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 11.4 (src):    subversion-1.7.14-59.1