Thank you. I am trying to understand what the recommendation is here. I am currently using SVN 1.6.6 and have apache 2.2.22 in production (reverted back from 2.2.25). At this link: http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
there is this blurb: Making a copy of the repository root is a valid Subversion operation. However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being exercised for a revision root that was never before executed for a revision root. That code performs a hand-rolled path arithmetic instead of using the internal path manipulation library, and thus passes an invalid path down to a library function which runs an assert() validation on that path. When assertions are enabled, the validation fails and kills the httpd process. When assertions are disabled, code would read beyond allocated memory, which may lead to a segfault or undefined behavior. Is this what I'm running into when I perform a SVN Commit? And the recommendations on that page: Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11. Users who are unable to upgrade may apply the included patches. New Subversion packages can be found at: http://subversion.apache.org/packages.html We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for repositories served by HTTPD) due to an independent security issue fixed in that HTTPD release: CVE-2013-1896. See <http://s.apache.org/H1a> for details about CVE-2013-1896, including a recommendation for those who serve Subversion repositories with Apache HTTPD 2.4.x. So is this saying that while apache 2.2.25 introduced the issue, I should keep that version for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11? Thank you! Ed -----Original Message----- From: Eric Covener [mailto:[email protected]] Sent: Wednesday, July 31, 2013 10:42 AM To: [email protected] Subject: EXT :Re: [users@httpd] apache 2.2.25 and svn commit https://issues.apache.org/bugzilla/show_bug.cgi?id=55304 http://svn.apache.org/viewvc?view=revision&revision=r1506714 On Wed, Jul 31, 2013 at 11:33 AM, Brennan, Edward C (HII-Ingalls) <[email protected]> wrote: > Hello, > I recently uninstalled apache 2.2.22 and installed 2.2.25 in order to > address security vulnerabilities. Apache sits on top of subversion. A few > days after the upgrade, some users reported issues performing the "svn > commit" command on a file that resides in a folder with a space in the folder > name. I found that if I create a folder with a space in it, such as "new > folder", put it under cm control, then add a text file under the folder, then > modify the file and attempt an "SVN Commit" command, I get this error in > apache error.log: > > [Wed Jul 31 10:25:13 2013] [error] ... Unable to PUT new contents for > /svn/!svn/wrk/.../svngctest/trunk/new%20folder/myDoc.txt. [403, #0] > [Wed Jul 31 10:25:13 2013] [error] ... Could not create file within the > repository. [404, #160013] > [Wed Jul 31 10:25:13 2013] [error] ... File not found: transaction > '37355-stw', path '/svngctest/trunk/new%20folder/myDoc.txt' [404, #160013] > > If I revert back to apache 2.2.22, the file will commit just fine. So the > installation of apache 2.2.25 seems to have introduced an issue with encoding > spaces? Has anyone else noticed this with apache 2.2.25? > > Thank you, > > Ed Brennan > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Eric Covener [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
