Thanks, Ben. So based on your response, I still don't know what caused the error. I introduced apache 2.2.25 into my environment, and I get the error (which is why I posted to users@httpd, since I didn't introduce a new subversion). But when I revert back to apache 2.2.22, I don't get the error. I assumed the new software introduced the issue. Guess I can upgrade subversion, and put apache back to 2.2.25 and see if the error persists. I appreciate your feedback. -----Original Message----- From: Ben Reser [mailto:ben@xxxxxxxxx] Sent: Thursday, August 01, 2013 8:52 PM To: users@xxxxxxxxxxxxxxxx Subject: EXT :Re: RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit First of all this probably belongs on users@xxxxxxxxxxxxxxxxxxxxx... On Wed, Jul 31, 2013 at 1:43 PM, Brennan, Edward C (HII-Ingalls) <ed.brennan@xxxxxxxxxxxxxxx> wrote: > Thank you. > I am trying to understand what the recommendation is here. I am currently using SVN 1.6.6 and have apache 2.2.22 in production (reverted back from 2.2.25). At this link: > http://subversion.apache.org/security/CVE-2013-4131-advisory.txt That issue is not applicable to 1.6.x. Note the following bit from the advisory you linked. [[[ Known fixed: ============ Subversion 1.8.1 Subversion 1.7.11 svnserve (any version) is not vulnerable. Subversion 1.6.x is not vulnerable. ]]] > there is this blurb: > > Making a copy of the repository root is a valid Subversion operation. > However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being > exercised for a revision root that was never before executed for a revision > root. That code performs a hand-rolled path arithmetic instead of using the > internal path manipulation library, and thus passes an invalid path down to > a library function which runs an assert() validation on that path. > > When assertions are enabled, the validation fails and kills the httpd > process. When assertions are disabled, code would read beyond allocated > memory, which may lead to a segfault or undefined behavior. > > > Is this what I'm running into when I perform a SVN Commit? If you were running 1.7.0-1.7.10 or 1.8.0 (including rcs) then yes that code would be run during a commit provided that you were doing a copy or move from or to the repository root. Somehow I suspect that's not what you're doing based on what you've said so far. > And the recommendations on that page: > > Recommendations: > ================ > > We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11. > Users who are unable to upgrade may apply the included patches. > > New Subversion packages can be found at: > http://subversion.apache.org/packages.html > > We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for > repositories served by HTTPD) due to an independent security issue fixed > in that HTTPD release: CVE-2013-1896. See <http://s.apache.org/H1a> for > details about CVE-2013-1896, including a recommendation for those who serve > Subversion repositories with Apache HTTPD 2.4.x. > > So is this saying that while apache 2.2.25 introduced the issue, I should keep that version for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11? At a minimum you should upgrade to 1.6.23 as there are several security issues that have been fixed in later 1.6.x releases that are not addressed in the 1.6.6 version you're running now. See this page for the list of security issues: http://subversion.apache.org/security/ However, I should point out that 1.6.x is no longer supported by the Subversion project and you should upgrade to 1.7.11 or 1.8.1 at your earliest convenience. We will not be producing any further updates for 1.6.x. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|