openSUSE Security Update : subversion (openSUSE-SU-2014:0307-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Apache Subversion was updated to version 1.8.8 :

It fix a remotely triggerable segfault in mod_dav_svn when svn is
handling the server root and SVNListParentPath is on [bnc#862459]
CVE-2014-0032

- Client-side bugfixes :

- fix automatic relocate for wcs not at repository root

- wc: improve performance when used with SQLite 3.8

- copy: fix some scenarios that broke the working copy

- move: fix errors when moving files between an external
and the parent working copy

- log: resolve performance regression in certain scenarios

- merge: decrease work to detect differences between 3
files

- commit: don't change file permissions inappropriately

- commit: fix assertion due to invalid pool lifetime

- version: don't cut off the distribution version on Linux

- flush stdout before exiting to avoid information being
lost

- status: fix missing sentinel value on warning codes

- update/switch: improve some WC db queries that may
return incorrect results depending on how SQLite is
built

- Server-side bugfixes :

- reduce memory usage during checkout and export

- fsfs: create rep-cache.db with proper permissions

- mod_dav_svn: prevent crashes with SVNListParentPath on
[bnc#862459] CVE-2014-0032

- mod_dav_svn: fix SVNAllowBulkUpdates directive merging

- mod_dav_svn: include requested property changes in
reports

- svnserve: correct default cache size in help text

- svnadmin dump: reduce size of dump files with '--deltas'

- resolve integer underflow that resulted in infinite
loops

- developer visible changes :

- fix ocassional failure of check_tests.py 12

- fix failure with SQLite 3.8.1-3.8.3 when built with
SQLITE_ENABLE_STAT3/4 due to bug in SQLite

- specify SQLite defaults that can be changed when SQLite
is built to avoid unexpected behavior with Subversion

- numerous documentation fixes

- svn_client_commit_item3_dup() fix pool lifetime issues

- ra_serf: properly ask multiple certificate validation
providers for acceptance of certificate failures

- release internal fs objects when closing commit editor

- svn_client_proplist4() don't call the callback multiple
times for the same path in order to deliver inherited
properties

- Bindings :

- swig-pl: fix with --enable-sqlite-compatibility-version

- swig: fix building from tarball with an out-of-tree
build

- removed patches :

- subversion-1.8.x-fix-ppc-tests.patch, committed upstream

- packaging changes :

- only require and build with junit when building with
java and running regression tests

- 1.8.6 and 1.8.7 were not released

See also :

http://lists.opensuse.org/opensuse-updates/2014-02/msg00086.html
https://bugzilla.novell.com/show_bug.cgi?id=862459

Solution :

Update the affected subversion packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 75270 ()

Bugtraq ID:

CVE ID: CVE-2014-0032

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now