File _patchinfo of Package patchinfo.5431
<patchinfo incident="5431">
<issue id="897033" tracker="bnc">devel:tools:scm:svn/sqlite3: Bug</issue>
<issue id="909935" tracker="bnc">VUL-0: CVE-2014-3580, CVE-2014-8108: subversion: remotely triggerable segfault DoS vulnerabilities</issue>
<issue id="923795" tracker="bnc">VUL-0: CVE-2015-0251: subversion: spoofing of svn:author property values for new revisions</issue>
<issue id="976850" tracker="bnc">VUL-0: CVE-2016-2168: subversion: mod_authz_svn: DoS in MOVE/COPY authorization check</issue>
<issue id="983938" tracker="bnc">`After=syslog.target` left-overs in several unit files</issue>
<issue id="911620" tracker="bnc">svn server (svnserve) cannot be started via yast > service manager - Systemd EnvironmentFile is missing</issue>
<issue id="939517" tracker="bnc">VUL-1: CVE-2015-3187: subversion: svn_repos_trace_node_locations() reveals paths hidden by authz</issue>
<issue id="916286" tracker="bnc">Wrong subversion.conf</issue>
<issue id="969159" tracker="bnc">subversion dependencies do not enforce matching password store (here: svn_kwallet)</issue>
<issue id="1051362" tracker="bnc">VUL-0: CVE-2017-9800: subversion: client code execution via argument injection in SSH URL</issue>
<issue id="976849" tracker="bnc">VUL-1: CVE-2016-2167: subversion: svnserve/sasl may authenticate users using the wrong realm</issue>
<issue id="958300" tracker="bnc">VUL-0: CVE-2015-5343: subversion: Heap overflow and out-of-bounds read in mod_dav_svn</issue>
<issue id="1011552" tracker="bnc">VUL-1: CVE-2016-8734: subversion: Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://</issue>
<issue id="923793" tracker="bnc">VUL-0: CVE-2015-0202: subversion: mod_dav_svn with FSFS repositories remotely triggerable excessive memory use with certain REPORT requests</issue>
<issue id="939514" tracker="bnc">VUL-0: CVE-2015-3184: subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4</issue>
<issue id="1026936" tracker="bnc">VUL-1: subversion: malicious user may commit SHA-1 collisions and cause repository inconsistencies</issue>
<issue id="977424" tracker="bnc">"svn: E120190: Error running context: An error occurred during authentication" when accessing subversion repositories</issue>
<issue id="923794" tracker="bnc">VUL-0: CVE-2015-0248: subversion: mod_dav_svn and svnserve remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers</issue>
<issue id="942819" tracker="bnc">Latest subversion update pulls in 180+ new packages as dependencies</issue>
<issue id="2014-3580" tracker="cve" />
<issue id="2015-3184" tracker="cve" />
<issue id="2017-9800" tracker="cve" />
<issue id="2015-0248" tracker="cve" />
<issue id="2016-8734" tracker="cve" />
<issue id="2016-2168" tracker="cve" />
<issue id="2014-8108" tracker="cve" />
<issue id="2015-3187" tracker="cve" />
<issue id="2015-0251" tracker="cve" />
<issue id="2015-0202" tracker="cve" />
<issue id="2015-5343" tracker="cve" />
<issue id="2016-2167" tracker="cve" />
<category>security</category>
<rating>important</rating>
<packager>scarabeus_iv</packager>
<description>This update for subversion fixes the following issues:
- CVE-2017-9800: A malicious, compromised server or MITM may cause svn client to
execute arbitrary commands by sending repository content with
svn:externals definitions pointing to crafted svn+ssh URLs. (bsc#1051362)
- Malicious user may commit SHA-1 collisions and cause repository inconsistencies (bsc#1026936)
- CVE-2016-8734: Unrestricted XML entity expansion in
mod_dontdothat and Subversion clients using http(s):// could lead to denial of service (bsc#1011552)
- CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm (bsc#976849)
- CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check (bsc#976850)
- mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (bsc#977424)
- make the subversion package conflict with KWallet and Gnome
Keyring packages with do not require matching subversion versions
in SLE 12 and openSUSE Leap 42.1 and thus break the main package
upon partial upgrade. (bsc#969159)
- CVE-2015-5343: Remotely triggerable heap overflow and out-of-bounds read in
mod_dav_svn caused by integer overflow when parsing skel-encoded
request bodies. (bsc#958300)
- Avoid recommending 180+ new pkgs for installation on minimal
setup due subversion-password-store (bsc#942819)
- CVE-2015-3184: mod_authz_svn: mixed anonymous/authenticated
httpd (dav) configurations could lead to information leak (bsc#939514)
- CVE-2015-3187: do not leak paths that were hidden by path-based authz (bsc#939517)
- CVE-2015-0202: Subversion HTTP servers with FSFS repositories were vulnerable
to a remotely triggerable excessive memory use with certain
REPORT requests. (bsc#923793)
- CVE-2015-0248: Subversion mod_dav_svn and svnserve were vulnerable to a
remotely triggerable assertion DoS vulnerability for certain
requests with dynamically evaluated revision numbers.
(bsc#923794)
- CVE-2015-0251: Subversion HTTP servers allow spoofing svn:author property
values for new revisions (bsc#923795)
- fix sample configuration comments in subversion.conf (bsc#916286)
- fix sysconfig file generation (bsc#911620)
- CVE-2014-3580: mod_dav_svn invalid REPORT requests could lead to denial of service (bsc#909935)
- CVE-2014-8108: mod_dav_svn use of invalid transaction names could lead to denial of service (bsc#909935)
- INSTALL#SQLite says 'Subversion 1.8 requires SQLite version 3.7.12 or above';
therefore I lowered the sqlite requirement to make the subversion run on
older system versions, tooi. [bsc#897033]
</description>
<summary>Security update for subversion</summary>
</patchinfo>
