openembedded-core.git/meta/recipes-devtools/subversion, branch dizzy Mirror of openembedded-core subversion: Fix subversion-native on Fedora22 2015-07-26T08:08:47+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-06-26T22:40:41+00:00 7e57945be22c1d141c6a9be6f73f585cd07938a6 Similarly to: http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=9b19d6548a345009a6de79a6820c07a72054d961 we also need to fix the subversion-native case with gcc5 by using the same fix to the BUILD_CPPFLAGS. (From OE-Core rev: a5e7a1e597e7bbe3bbc547f43a89d00a8a9a9924) (From OE-Core rev: 7d445547df528aa9e5bfb85568a7270e27f633ef) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Similarly to:
http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=9b19d6548a345009a6de79a6820c07a72054d961

we also need to fix the subversion-native case with gcc5 by using
the same fix to the BUILD_CPPFLAGS.

(From OE-Core rev: a5e7a1e597e7bbe3bbc547f43a89d00a8a9a9924)

(From OE-Core rev: 7d445547df528aa9e5bfb85568a7270e27f633ef)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Add -P to CPPFLAGS 2015-07-26T08:08:46+00:00 Khem Raj raj.khem@gmail.com 2015-04-24T03:35:25+00:00 4954cd6abad556d75beec860e82750bb1090a109 see https://gcc.gnu.org/gcc-5/porting_to.html we need to stop the preprocessor from generating the #line directives or we run into issues like | checking for apr_int64_t Python/C API format string... | configure: error: failed to recognize APR_INT64_T_FMT on this platform | Configure failed. The contents of all config.log files follows to aid debugging | ERROR: oe_runconf failed Rightly subversion should be fixed but lets leave that to subversion folks Change-Id: I02a89798ff949f79967ab0a73adcddaa4218662d (From OE-Core rev: 7793b1c425077ed6ed11a9bc2a8b1b96612b1c96) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
see https://gcc.gnu.org/gcc-5/porting_to.html

we need to stop the preprocessor from generating the #line directives
or we run into issues like

| checking for apr_int64_t Python/C API format string...
| configure: error: failed to recognize APR_INT64_T_FMT on this platform
| Configure failed. The contents of all config.log files follows to aid
debugging
| ERROR: oe_runconf failed

Rightly subversion should be fixed but lets leave that to subversion
folks

Change-Id: I02a89798ff949f79967ab0a73adcddaa4218662d
(From OE-Core rev: 7793b1c425077ed6ed11a9bc2a8b1b96612b1c96)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Security Advisory - subversion - CVE-2014-3528 2014-11-21T16:48:32+00:00 Yue Tao Yue.Tao@windriver.com 2014-10-22T07:37:29+00:00 4ff3355e4daf841c66fb78e88bf2d6e26d8f9ced Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528 (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528

(From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Security Advisory - subversion - CVE-2014-3522 2014-11-21T16:48:21+00:00 Yue Tao Yue.Tao@windriver.com 2014-10-22T07:37:28+00:00 529ce75be949944a6e54151cd4233703e40c6351 The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.<a href=http://cwe.mitre.org/data/definitions/297.html target=_blank>CWE-297: Improper Validation of Certificate with Host Mismatch</a> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522 (From OE-Core rev: 06a33cd00ea11abec1ebe9d5883e44778075ccc6) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18
and 1.8.x before 1.8.10 does not properly handle wildcards in the Common
Name (CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof servers via a crafted
certificate.<a href=http://cwe.mitre.org/data/definitions/297.html
target=_blank>CWE-297: Improper Validation of Certificate with Host
Mismatch</a>

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522

(From OE-Core rev: 06a33cd00ea11abec1ebe9d5883e44778075ccc6)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Disable make install parallelism 2014-07-18T23:08:46+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-07-18T12:40:31+00:00 f5569d30b98418b201766ad07b177aac5fae4a41 The Makefile generation for subversion is horrible, I can't figure out where the dependencies are missing, it looks like they might be missing everywhere. Give up and disable parallel make install. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The Makefile generation for subversion is horrible, I can't figure out
where the dependencies are missing, it looks like they might be missing
everywhere. Give up and disable parallel make install.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: neon support was dropped, switch to serf 2014-07-17T22:13:56+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-07-17T20:37:38+00:00 1838153de3a68ac391bdec139446e496ad093763 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Upgrade 1.7.7 -> 1.8.9 2014-07-17T11:27:05+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-07-16T12:31:59+00:00 99c3225cfe39f8de89555df5bd3f1e93cd731269 Dropped neon patches as neon support was dropped. Dropped CVE patches as applied in later version Added patch to avoid OS-X check which doesn't cross compile Add PACKAGECONFIG for gnome-keyring Addition to license: For the file subversion/libsvn_subr/utf_width.c * Markus Kuhn -- 2007-05-26 (Unicode 5.0) * * Permission to use, copy, modify, and distribute this software * for any purpose and without fee is hereby granted. The author * disclaims all warranties with regard to this software. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Dropped neon patches as neon support was dropped.
Dropped CVE patches as applied in later version
Added patch to avoid OS-X check which doesn't cross compile
Add PACKAGECONFIG for gnome-keyring

Addition to license:

For the file subversion/libsvn_subr/utf_width.c
* Markus Kuhn -- 2007-05-26 (Unicode 5.0)
*
* Permission to use, copy, modify, and distribute this software
* for any purpose and without fee is hereby granted. The author
* disclaims all warranties with regard to this software.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: fix for Security Advisory CVE-2013-4277 2014-05-21T08:08:10+00:00 Yue Tao Yue.Tao@windriver.com 2014-05-08T10:16:24+00:00 e0e483c5b2f481240e590ebb7d6189a211450a7e Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4277 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through
1.8.1 allows local users to overwrite arbitrary files or kill arbitrary
processes via a symlink attack on the file specified by the --pid-file
option.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4277

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
subversion: fix for Security Advisory CVE-2013-1847 and CVE-2013-1846 2014-05-21T08:08:10+00:00 Yue Tao Yue.Tao@windriver.com 2014-04-15T07:22:17+00:00 3962b76185194fa56be7f1689204a1188ea44737 The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846 The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of
service (NULL pointer dereference and crash) via a LOCK on an activity URL.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20
and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via an anonymous LOCK for a URL that does
not exist.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
subversion: fix for Security Advisory CVE-2013-1845 2014-05-21T08:08:09+00:00 Yue Tao Yue.Tao@windriver.com 2014-04-15T05:21:25+00:00 432666b84b80f8b0d13672aa94855369f577c56d The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>