---
- branch: MAIN
  date: Tue Apr 12 16:24:29 UTC 2022
  files:
  - new: '1.62'
    old: '1.61'
    path: pkgsrc/devel/java-subversion/Makefile
    pathrev: pkgsrc/devel/java-subversion/Makefile@1.62
    type: modified
  - new: '1.122'
    old: '1.121'
    path: pkgsrc/devel/p5-subversion/Makefile
    pathrev: pkgsrc/devel/p5-subversion/Makefile@1.122
    type: modified
  - new: '1.95'
    old: '1.94'
    path: pkgsrc/devel/py-subversion/Makefile
    pathrev: pkgsrc/devel/py-subversion/Makefile@1.95
    type: modified
  - new: '1.84'
    old: '1.83'
    path: pkgsrc/devel/ruby-subversion/Makefile
    pathrev: pkgsrc/devel/ruby-subversion/Makefile@1.84
    type: modified
  - new: '1.88'
    old: '1.87'
    path: pkgsrc/devel/subversion/Makefile.version
    pathrev: pkgsrc/devel/subversion/Makefile.version@1.88
    type: modified
  - new: '1.119'
    old: '1.118'
    path: pkgsrc/devel/subversion/distinfo
    pathrev: pkgsrc/devel/subversion/distinfo@1.119
    type: modified
  - new: '1.130'
    old: '1.129'
    path: pkgsrc/devel/subversion-base/Makefile
    pathrev: pkgsrc/devel/subversion-base/Makefile@1.130
    type: modified
  id: 20220412T162429Z.6f300dc6c24145ad05b3b9c6c8b6f0fd323076db
  log: |
    subversion: update to 1.4.2 (security).

    HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

    CVE-2021-28544
    "SVN authz protected copyfrom paths regression"

    The full security advisory for CVE-2021-28544 is available at:
        https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
        https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

    A brief summary of this advisory follows:

       Subversion servers reveal 'copyfrom' paths that should be hidden according to
       configured path-based authorization (authz) rules.  When a node has been
       copied from a protected location, users with access to the copy can see the
       `copyfrom' path of the original.  This also reveals the fact that
       the node was copied.
       Only the 'copyfrom' path is revealed; not its contents. Both httpd
       and svnserve
       servers are vulnerable.

       We recommend all users to upgrade to a known fixed release of the
       Subversion server.

       This issue was reported by Evgeny Kotkov

    CVE-2022-24070
    "Subversion's mod_dav_svn is vulnerable to memory corruption"

    The full security advisory for CVE-2022-24070 is available at:
        https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
        https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

    A brief summary of this advisory follows:

       While looking up path-based authorization rules, mod_dav_svn servers
       may attempt to use memory which has already been freed.

       We recommend all users to upgrade to a known fixed release of the
       Subversion server.

       This issue was reported by Thomas Wei��schuh
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/devel'
  unixtime: '1649780669'
  user: bsiegert