Security update for subversion
This update for subversion to 1.9.7 fixes security issues and bugs.
The following vulnerabilities were fixed:
- CVE-2017-9800: A remote attacker could have caused svn clients to execute arbitrary code
via specially crafted URLs in svn:externals and svn:sync-from-url properties. (boo#1051362)
- CVE-2005-4900: SHA-1 collisions may cause repository inconsistencies (boo#1026936)
The following bugfix changes are included:
- Add instructions for running svnserve as a user different from "svn", and remove sysconfig
variables that are no longer effective with the systemd unit. (boo#1049448)
-
Submitted by
Andreas Stieger (AndreasStieger)
Fixed bugs
bnc#1051362
VUL-0: CVE-2017-9800: subversion: client code execution via argument injection in SSH URL
bnc#1026936
VUL-1: subversion: malicious user may commit SHA-1 collisions and cause repository inconsistencies
bnc#1049448
L3-Question: subversion: cannot easily configure svnserve as a user/group other than svn/svn
