diff --git a/subversion.changes b/subversion.changes index eec5639..0807ff7 100644 --- a/subversion.changes +++ b/subversion.changes @@ -6,6 +6,14 @@ Fri Jul 26 10:03:14 UTC 2019 - matthias.gerstner@suse.com [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html +------------------------------------------------------------------- +Thu Jul 25 08:26:09 UTC 2019 - Tomáš Chvátal + +- Add patches to fix bsc#1142743 and bsc#1142721 CVE-2019-0203 + CVE-2018-11782: + * CVE-2018-11782.patch + * CVE-2019-0203.patch + ------------------------------------------------------------------- Thu Jul 25 07:52:01 UTC 2019 - Tomáš Chvátal @@ -210,6 +218,15 @@ Thu Aug 10 15:04:45 UTC 2017 - astieger@suse.com to execute arbitrary code via specially crafted URLs in svn:externals and svn:sync-from-url properties. (bsc#1051362) +------------------------------------------------------------------- +Wed Aug 9 10:34:08 UTC 2017 - tchvatal@suse.com + +- Apache Subversion 1.8.19 (bsc#1051362): + * A malicious, compromised server or MITM may cause svn client to + execute arbitrary commands by sending repository content with + svn:externals definitions pointing to crafted svn+ssh URLs. + CVE-2017-9800 + ------------------------------------------------------------------- Fri Jul 28 14:18:49 UTC 2017 - astieger@suse.com @@ -234,6 +251,17 @@ Fri Jul 7 11:17:13 UTC 2017 - astieger@suse.com * work around an APR bug related to file truncation * javahl: follow redirects when opening a connection +------------------------------------------------------------------- +Fri Jul 7 11:17:13 UTC 2017 - astieger@suse.com + +- Apache Subversion 1.8.18 (bsc#1026936): + This change makes Subversion resilient to collision attacks, + including SHA-1 collision attacks such as . + https://subversion.apache.org/faq#shattered-sha1 + * fsfs: never attempt to share directory representations + * fsfs: make consistency independent of hash algorithms + * work around an APR bug related to file truncation + ------------------------------------------------------------------- Thu Jun 15 14:37:29 UTC 2017 - nmoudra@suse.com @@ -249,6 +277,36 @@ Mon Mar 13 10:28:41 UTC 2017 - tchvatal@suse.com disabled - Use apache2-rpm-macros to get the apache variables +------------------------------------------------------------------- +Thu Dec 22 14:14:01 UTC 2016 - stsp@elego.de + +- Package the 'svnauthz' binary. + +------------------------------------------------------------------- +Wed Nov 30 12:03:57 UTC 2016 - astieger@suse.com + +- Apache Subversion 1.8.17: + * bsc#1011552 CVE-2016-8734 Unrestricted XML entity expansion in + mod_dontdothat and Subversion clients using http(s):// + * Client-side bugfixes: + + fix handling of newly secured subdirectories in working copy + + ra_serf: fix deleting directories with many files + + gpg-agent: properly handle passwords with percent characters + + merge: fix crash when merging to a local add + * Server-side bugfixes: + + fsfs: fix possible data reconstruction error + + svnlook: properly remove tempfiles on diff errors + * Client-side and server-side bugfixes: + + fix potential memory access bugs + * Bindings bugfixes: + + javahl: fix temporarily accepting SSL server certificates + + swig-pl: do not corrupt "{DATE}" revision variable + + swig-pl: fix possible stack corruption + * Developer-visible changes: + + fix inconsistent behavior of inherited property API + + fix patch filter invocation in svn_client_patch() + + fix potential build issue with invalid SVN_LOCALE_DIR + ------------------------------------------------------------------- Wed Nov 30 07:42:07 UTC 2016 - tchvatal@suse.com @@ -288,6 +346,12 @@ Wed Nov 30 07:42:07 UTC 2016 - tchvatal@suse.com - Drop no longer needed patch: * subversion-1.8.11-swig-py-comment-3.patch +------------------------------------------------------------------- +Thu Aug 4 14:42:36 UTC 2016 - tchvatal@suse.com + +- Add patch to build with swig3 to fix build on sle12sp2+ + * subversion-swig3.patch + ------------------------------------------------------------------- Wed Jun 29 10:52:11 UTC 2016 - tchvatal@suse.com @@ -495,6 +559,15 @@ Thu Apr 9 18:12:48 UTC 2015 - astieger@suse.com - fix tests with SQLite 3.8.9, adding subversion-1.8.13-fix-sqlite-3.8.9-tests.patch +------------------------------------------------------------------- +Wed Apr 1 12:13:37 UTC 2015 - tchvatal@suse.com + +- Apply sec fixes for bnc#923793 bnc#923794 bnc#923795; + CVE-2015-0202 CVE-2015-0248 CVE-2015-0251: + * subversion-bnc923793.patch + * subversion-bnc923794.patch + * subversion-bnc923795.patch + ------------------------------------------------------------------- Tue Mar 31 12:00:00 UTC 2015 - astieger@suse.com @@ -559,6 +632,13 @@ Thu Jan 8 15:41:32 UTC 2015 - bwiedemann@suse.com - fix sysconfig file generation (bnc#911620) +------------------------------------------------------------------- +Fri Jan 2 09:46:08 UTC 2015 - tchvatal@suse.com + +- Sec update bnc#909935 CVE-2014-3580, CVE-2014-8108 + * subversion-CVE-2014-3580.patch + * subversion-CVE-2014-8108.patch + ------------------------------------------------------------------- Thu Dec 18 14:33:55 UTC 2014 - andreas.stieger@gmx.de