Overview

File _patchinfo of Package patchinfo.7085

<patchinfo incident="7085">
  <issue id="1051362" tracker="bnc">VUL-0: CVE-2017-9800: subversion: client code execution via argument injection in SSH URL</issue>
  <issue id="1026936" tracker="bnc">VUL-1: subversion: malicious user may commit SHA-1 collisions and cause repository inconsistencies</issue>
  <issue id="1049448" tracker="bnc">L3-Question: subversion: cannot easily configure svnserve as a user/group other than svn/svn</issue>
  <issue id="2017-9800" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>AndreasStieger</packager>
  <description>This update for subversion to 1.9.7 fixes security issues and bugs.

The following vulnerabilities were fixed:

- CVE-2017-9800: A remote attacker could have caused svn clients to execute arbitrary code 
  via specially crafted URLs in svn:externals and svn:sync-from-url properties. (boo#1051362)
- CVE-2005-4900: SHA-1 collisions may cause repository inconsistencies (boo#1026936)

The following bugfix changes are included:

- Add instructions for running svnserve as a user different from "svn", and remove sysconfig
  variables that are no longer effective with the systemd unit. (boo#1049448)
</description>
  <summary>Security update for subversion</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places