Thank you. I am trying to understand what the recommendation is here. I am currently using SVN 1.6.6 and have apache 2.2.22 in production (reverted back from 2.2.25). At this link: http://subversion.apache.org/security/CVE-2013-4131-advisory.txt there is this blurb: Making a copy of the repository root is a valid Subversion operation. However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being exercised for a revision root that was never before executed for a revision root. That code performs a hand-rolled path arithmetic instead of using the internal path manipulation library, and thus passes an invalid path down to a library function which runs an assert() validation on that path. When assertions are enabled, the validation fails and kills the httpd process. When assertions are disabled, code would read beyond allocated memory, which may lead to a segfault or undefined behavior. Is this what I'm running into when I perform a SVN Commit? And the recommendations on that page: Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11. Users who are unable to upgrade may apply the included patches. New Subversion packages can be found at: http://subversion.apache.org/packages.html We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for repositories served by HTTPD) due to an independent security issue fixed in that HTTPD release: CVE-2013-1896. See <http://s.apache.org/H1a> for details about CVE-2013-1896, including a recommendation for those who serve Subversion repositories with Apache HTTPD 2.4.x. So is this saying that while apache 2.2.25 introduced the issue, I should keep that version for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11? Thank you! Ed -----Original Message----- From: Eric Covener [mailto:covener@xxxxxxxxx] Sent: Wednesday, July 31, 2013 10:42 AM To: users@xxxxxxxxxxxxxxxx Subject: EXT :Re: apache 2.2.25 and svn commit https://issues.apache.org/bugzilla/show_bug.cgi?id=55304 http://svn.apache.org/viewvc?view=revision&revision=r1506714 On Wed, Jul 31, 2013 at 11:33 AM, Brennan, Edward C (HII-Ingalls) <ed.brennan@xxxxxxxxxxxxxxx> wrote: > Hello, > I recently uninstalled apache 2.2.22 and installed 2.2.25 in order to address security vulnerabilities. Apache sits on top of subversion. A few days after the upgrade, some users reported issues performing the "svn commit" command on a file that resides in a folder with a space in the folder name. I found that if I create a folder with a space in it, such as "new folder", put it under cm control, then add a text file under the folder, then modify the file and attempt an "SVN Commit" command, I get this error in apache error.log: > > [Wed Jul 31 10:25:13 2013] [error] ... Unable to PUT new contents for /svn/!svn/wrk/.../svngctest/trunk/new%20folder/myDoc.txt. [403, #0] > [Wed Jul 31 10:25:13 2013] [error] ... Could not create file within the repository. [404, #160013] > [Wed Jul 31 10:25:13 2013] [error] ... File not found: transaction '37355-stw', path '/svngctest/trunk/new%20folder/myDoc.txt' [404, #160013] > > If I revert back to apache 2.2.22, the file will commit just fine. So the installation of apache 2.2.25 seems to have introduced an issue with encoding spaces? Has anyone else noticed this with apache 2.2.25? > > Thank you, > > Ed Brennan > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|