Pullup ticket #6613 - requested by bsiegert
devel/java-subversion: security update
devel/p5-subversion: security update
devel/py-subversion: security update
devel/ruby-subversion: security update
devel/subversion-base: security update
devel/subversion: security update

Revisions pulled up:
- devel/java-subversion/Makefile                                1.62
- devel/p5-subversion/Makefile                                  1.122
- devel/py-subversion/Makefile                                  1.95
- devel/ruby-subversion/Makefile                                1.84
- devel/subversion-base/Makefile                                1.130
- devel/subversion/Makefile                                    1.68
- devel/subversion/Makefile.version                            1.88
- devel/subversion/distinfo                                    1.119

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  bsiegert
  Date:          Tue Apr 12 16:24:29 UTC 2022

  Modified Files:
          pkgsrc/devel/java-subversion: Makefile
          pkgsrc/devel/p5-subversion: Makefile
          pkgsrc/devel/py-subversion: Makefile
          pkgsrc/devel/ruby-subversion: Makefile
          pkgsrc/devel/subversion: Makefile.version distinfo
          pkgsrc/devel/subversion-base: Makefile

  Log Message:
  subversion: update to 1.4.2 (security).

  HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

  CVE-2021-28544
  "SVN authz protected copyfrom paths regression"

  The full security advisory for CVE-2021-28544 is available at:
      https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
      https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

  A brief summary of this advisory follows:

      Subversion servers reveal 'copyfrom' paths that should be hidden according to
      configured path-based authorization (authz) rules.  When a node has been
      copied from a protected location, users with access to the copy can see the
      `copyfrom' path of the original.  This also reveals the fact that
      the node was copied.
      Only the 'copyfrom' path is revealed; not its contents. Both httpd
      and svnserve
      servers are vulnerable.

      We recommend all users to upgrade to a known fixed release of the
      Subversion server.

      This issue was reported by Evgeny Kotkov

  CVE-2022-24070
  "Subversion's mod_dav_svn is vulnerable to memory corruption"

  The full security advisory for CVE-2022-24070 is available at:
      https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
      https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

  A brief summary of this advisory follows:

      While looking up path-based authorization rules, mod_dav_svn servers
      may attempt to use memory which has already been freed.

      We recommend all users to upgrade to a known fixed release of the
      Subversion server.

      This issue was reported by Thomas Wei��schuh

  To generate a diff of this commit:
  cvs rdiff -u -r1.61 -r1.62 pkgsrc/devel/java-subversion/Makefile
  cvs rdiff -u -r1.121 -r1.122 pkgsrc/devel/p5-subversion/Makefile
  cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/py-subversion/Makefile
  cvs rdiff -u -r1.83 -r1.84 pkgsrc/devel/ruby-subversion/Makefile
  cvs rdiff -u -r1.87 -r1.88 pkgsrc/devel/subversion/Makefile.version
  cvs rdiff -u -r1.118 -r1.119 pkgsrc/devel/subversion/distinfo
  cvs rdiff -u -r1.129 -r1.130 pkgsrc/devel/subversion-base/Makefile

-------------------------------------------------------------------
  Module Name:    pkgsrc
  Committed By:  wiz
  Date:          Tue Apr 12 21:40:36 UTC 2022

  Modified Files:
          pkgsrc/devel/subversion: Makefile

  Log Message:
  subversion: reset PKGREVISION after update

  To generate a diff of this commit:
  cvs rdiff -u -r1.67 -r1.68 pkgsrc/devel/subversion/Makefile

(spz)