openembedded-core.git/meta/recipes-devtools/subversion, branch fido Mirror of openembedded-core subversion: fix CVE-2015-3187 2016-02-07T17:20:58+00:00 Wenzong Fan wenzong.fan@windriver.com 2016-02-06T23:14:49+00:00 b45dcbadc1a51188ac6dead855e14a181a7bccd9 The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. Patch is from: http://subversion.apache.org/security/CVE-2015-3187-advisory.txt (From OE-Core master rev: 6da25614edcad30fdb4bea8ff47b81ff81cdaed2) (From OE-Core rev: e1e277bf51c6f00268358f6bf8623261b1b9bc22) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The svn_repos_trace_node_locations function in Apache Subversion before
1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used,
allows remote authenticated users to obtain sensitive path information
by reading the history of a node that has been moved from a hidden path.

Patch is from:
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

(From OE-Core master rev: 6da25614edcad30fdb4bea8ff47b81ff81cdaed2)

(From OE-Core rev: e1e277bf51c6f00268358f6bf8623261b1b9bc22)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: fix CVE-2015-3184 2016-02-07T17:20:58+00:00 Wenzong Fan wenzong.fan@windriver.com 2016-02-06T23:14:48+00:00 e4a1caecc5ae6b8488ec8ed7d303296af99146c0 mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name. Patch is from: http://subversion.apache.org/security/CVE-2015-3184-advisory.txt (From OE-Core master rev: 29eb921ed074d86fa8d5b205a313eb3177473a63) (From OE-Core rev: 7af7a3e692a6cd0d92768024efe32bfa7d83bc8f) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before
1.8.14, when using Apache httpd 2.4.x, does not properly restrict
anonymous access, which allows remote anonymous users to read hidden
files via the path name.

Patch is from:
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt

(From OE-Core master rev: 29eb921ed074d86fa8d5b205a313eb3177473a63)

(From OE-Core rev: 7af7a3e692a6cd0d92768024efe32bfa7d83bc8f)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Fix subversion-native on Fedora22 2015-06-28T08:45:37+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-06-26T22:40:41+00:00 7d445547df528aa9e5bfb85568a7270e27f633ef Similarly to: http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=9b19d6548a345009a6de79a6820c07a72054d961 we also need to fix the subversion-native case with gcc5 by using the same fix to the BUILD_CPPFLAGS. (From OE-Core rev: a5e7a1e597e7bbe3bbc547f43a89d00a8a9a9924) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Similarly to:
http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=9b19d6548a345009a6de79a6820c07a72054d961

we also need to fix the subversion-native case with gcc5 by using
the same fix to the BUILD_CPPFLAGS.

(From OE-Core rev: a5e7a1e597e7bbe3bbc547f43a89d00a8a9a9924)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Add -P to CPPFLAGS 2015-06-28T08:45:33+00:00 Khem Raj raj.khem@gmail.com 2015-04-24T03:35:25+00:00 a240d28492f05c22198dd4b20c11c0d510f0c897 see https://gcc.gnu.org/gcc-5/porting_to.html we need to stop the preprocessor from generating the #line directives or we run into issues like | checking for apr_int64_t Python/C API format string... | configure: error: failed to recognize APR_INT64_T_FMT on this platform | Configure failed. The contents of all config.log files follows to aid debugging | ERROR: oe_runconf failed Rightly subversion should be fixed but lets leave that to subversion folks Change-Id: I02a89798ff949f79967ab0a73adcddaa4218662d (From OE-Core rev: 7793b1c425077ed6ed11a9bc2a8b1b96612b1c96) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
see https://gcc.gnu.org/gcc-5/porting_to.html

we need to stop the preprocessor from generating the #line directives
or we run into issues like

| checking for apr_int64_t Python/C API format string...
| configure: error: failed to recognize APR_INT64_T_FMT on this platform
| Configure failed. The contents of all config.log files follows to aid
debugging
| ERROR: oe_runconf failed

Rightly subversion should be fixed but lets leave that to subversion
folks

Change-Id: I02a89798ff949f79967ab0a73adcddaa4218662d
(From OE-Core rev: 7793b1c425077ed6ed11a9bc2a8b1b96612b1c96)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: 1.8.10 -> 1.8.11 2015-02-14T22:26:07+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-02-13T14:44:31+00:00 6218b590e02afc346b473e62ee4e4624b677cacf Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion 1.6.15: fix unknown-configure-option 2015-02-07T18:52:47+00:00 Robert Yang liezhi.yang@windriver.com 2015-01-28T01:10:37+00:00 49ad2ba8c2ffe57300b37e6bd0d9d25eb30a5449 WARNING: QA Issue: subversion: configure was passed unrecognised options: --without-apache [unknown-configure-option] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
WARNING: QA Issue: subversion: configure was passed unrecognised options: --without-apache [unknown-configure-option]

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
subversion: 1.8.9 -> 1.8.10 2014-11-06T16:41:34+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-11-04T07:17:24+00:00 aa3aa6fff5b5e5b36b76665846e8b7f0408f7e81 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion: Security Advisory - subversion - CVE-2014-3528 2014-11-04T10:19:53+00:00 Yue Tao Yue.Tao@windriver.com 2014-10-22T07:37:29+00:00 e0dc0432b13f38d16f642bdadf8ebc78b7a74806 Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
subversion: Security Advisory - subversion - CVE-2014-3522 2014-11-04T10:19:53+00:00 Yue Tao Yue.Tao@windriver.com 2014-10-22T07:37:28+00:00 06a33cd00ea11abec1ebe9d5883e44778075ccc6 The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.<a href=http://cwe.mitre.org/data/definitions/297.html target=_blank>CWE-297: Improper Validation of Certificate with Host Mismatch</a> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18
and 1.8.x before 1.8.10 does not properly handle wildcards in the Common
Name (CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof servers via a crafted
certificate.<a href=http://cwe.mitre.org/data/definitions/297.html
target=_blank>CWE-297: Improper Validation of Certificate with Host
Mismatch</a>

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
subversion: Disable make install parallelism 2014-07-18T23:08:46+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-07-18T12:40:31+00:00 f5569d30b98418b201766ad07b177aac5fae4a41 The Makefile generation for subversion is horrible, I can't figure out where the dependencies are missing, it looks like they might be missing everywhere. Give up and disable parallel make install. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The Makefile generation for subversion is horrible, I can't figure out
where the dependencies are missing, it looks like they might be missing
everywhere. Give up and disable parallel make install.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>