subversion: update to 1.4.2 (security).
HIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:
CVE-2021-28544
"SVN authz protected copyfrom paths regression"
The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc
A brief summary of this advisory follows:
Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Evgeny Kotkov
CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"
The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc
A brief summary of this advisory follows:
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
We recommend all users to upgrade to a known fixed release of the
Subversion server.
This issue was reported by Thomas Wei��schuh
(bsiegert)
diff -r1.61 -r1.62 pkgsrc/devel/java-subversion/Makefile| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.61 2021/12/08 16:03:59 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.62 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKGNAME= java-subversion-${SVNVER} | 3 | PKGNAME= java-subversion-${SVNVER} | |
| 4 | PKGREVISION= 3 | |||
| 5 | COMMENT= Java bindings for Subversion | 4 | COMMENT= Java bindings for Subversion | |
| 6 | 5 | |||
| 7 | MAKE_JOBS_SAFE= no | 6 | MAKE_JOBS_SAFE= no | |
| 8 | 7 | |||
| 9 | .include "../../devel/subversion/Makefile.common" | 8 | .include "../../devel/subversion/Makefile.common" | |
| 10 | 9 | |||
| 11 | SHLIBTOOL_OVERRIDE= # empty | 10 | SHLIBTOOL_OVERRIDE= # empty | |
| 12 | 11 | |||
| 13 | USE_TOOLS+= gmake perl | 12 | USE_TOOLS+= gmake perl | |
| 14 | USE_LANGUAGES+= c c++ | 13 | USE_LANGUAGES+= c c++ | |
| 15 | USE_JAVA2= yes | 14 | USE_JAVA2= yes | |
| 16 | # We might need PKG_JVM_DEFAULT/PKG_JVMS_ACCEPTED; I'm not much for Java... | 15 | # We might need PKG_JVM_DEFAULT/PKG_JVMS_ACCEPTED; I'm not much for Java... | |
| 17 | 16 |
| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.121 2021/12/08 16:04:04 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.122 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKGNAME= p5-subversion-${SVNVER} | 3 | PKGNAME= p5-subversion-${SVNVER} | |
| 4 | PKGREVISION= 3 | |||
| 5 | COMMENT= Perl bindings for Subversion | 4 | COMMENT= Perl bindings for Subversion | |
| 6 | 5 | |||
| 7 | .include "../../devel/subversion/Makefile.common" | 6 | .include "../../devel/subversion/Makefile.common" | |
| 8 | 7 | |||
| 9 | SHLIBTOOL_OVERRIDE= # empty | 8 | SHLIBTOOL_OVERRIDE= # empty | |
| 10 | 9 | |||
| 11 | USE_TOOLS+= perl | 10 | USE_TOOLS+= perl | |
| 12 | PERL5_CONFIGURE= no | 11 | PERL5_CONFIGURE= no | |
| 13 | PERL5_OPTIONS+= threads | 12 | PERL5_OPTIONS+= threads | |
| 14 | PERL5_PACKLIST= auto/SVN/_Core/.packlist | 13 | PERL5_PACKLIST= auto/SVN/_Core/.packlist | |
| 15 | 14 | |||
| 16 | BUILD_TARGET= swig-pl | 15 | BUILD_TARGET= swig-pl | |
| 17 | INSTALL_TARGET= install-swig-pl | 16 | INSTALL_TARGET= install-swig-pl |
| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.94 2021/12/08 16:04:05 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.95 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKGNAME= ${PYPKGPREFIX}-subversion-${SVNVER} | 3 | PKGNAME= ${PYPKGPREFIX}-subversion-${SVNVER} | |
| 4 | PKGREVISION= 3 | |||
| 5 | COMMENT= Python bindings and tools for Subversion | 4 | COMMENT= Python bindings and tools for Subversion | |
| 6 | 5 | |||
| 7 | .include "../../devel/subversion/Makefile.common" | 6 | .include "../../devel/subversion/Makefile.common" | |
| 8 | 7 | |||
| 9 | SHLIBTOOL_OVERRIDE= # empty | 8 | SHLIBTOOL_OVERRIDE= # empty | |
| 10 | TOOLS_BROKEN+= perl | 9 | TOOLS_BROKEN+= perl | |
| 11 | 10 | |||
| 12 | CPPFLAGS+= -P # for APR_INT64_T_FMT | 11 | CPPFLAGS+= -P # for APR_INT64_T_FMT | |
| 13 | CONFIGURE_ARGS+= --with-py3c=${BUILDLINK_PREFIX.py-py3c}/${PYINC}/py3c | 12 | CONFIGURE_ARGS+= --with-py3c=${BUILDLINK_PREFIX.py-py3c}/${PYINC}/py3c | |
| 14 | CONFIGURE_ARGS+= --with-swig=${PREFIX}/bin/swig3.0 | 13 | CONFIGURE_ARGS+= --with-swig=${PREFIX}/bin/swig3.0 | |
| 15 | CONFIGURE_ENV+= PYTHON=${PYTHONBIN:Q} | 14 | CONFIGURE_ENV+= PYTHON=${PYTHONBIN:Q} | |
| 16 | 15 | |||
| 17 | PY_PATCHPLIST= YES | 16 | PY_PATCHPLIST= YES |
| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.83 2021/12/08 16:04:07 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.84 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKGNAME= ${RUBY_PKGPREFIX}-subversion-${SVNVER} | 3 | PKGNAME= ${RUBY_PKGPREFIX}-subversion-${SVNVER} | |
| 4 | PKGREVISION= 3 | |||
| 5 | COMMENT= Ruby bindings for Subversion | 4 | COMMENT= Ruby bindings for Subversion | |
| 6 | 5 | |||
| 7 | .include "../../devel/subversion/Makefile.common" | 6 | .include "../../devel/subversion/Makefile.common" | |
| 8 | 7 | |||
| 9 | TOOLS_BROKEN+= perl | 8 | TOOLS_BROKEN+= perl | |
| 10 | SHLIBTOOL_OVERRIDE= # empty | 9 | SHLIBTOOL_OVERRIDE= # empty | |
| 11 | 10 | |||
| 12 | REPLACE_RUBY_DIRS= tools | 11 | REPLACE_RUBY_DIRS= tools | |
| 13 | 12 | |||
| 14 | CONFIGURE_ENV+= RUBY=${RUBY:Q} | 13 | CONFIGURE_ENV+= RUBY=${RUBY:Q} | |
| 15 | CONFIGURE_ARGS+= --with-ruby-sitedir=${PREFIX}/${RUBY_VENDORLIB_BASE} | 14 | CONFIGURE_ARGS+= --with-ruby-sitedir=${PREFIX}/${RUBY_VENDORLIB_BASE} | |
| 16 | 15 | |||
| 17 | BUILD_TARGET= swig-rb | 16 | BUILD_TARGET= swig-rb |
| @@ -1,11 +1,11 @@ | @@ -1,11 +1,11 @@ | |||
| 1 | # $NetBSD: Makefile.version,v 1.87 2021/02/14 15:09:19 adam Exp $ | 1 | # $NetBSD: Makefile.version,v 1.88 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | # When updating subversion, all packages are updated at the same time | 3 | # When updating subversion, all packages are updated at the same time | |
| 4 | # to have a consistent set of packages. A particularly tricky aspect | 4 | # to have a consistent set of packages. A particularly tricky aspect | |
| 5 | # is our interaction with the svn build system. See the make target | 5 | # is our interaction with the svn build system. See the make target | |
| 6 | # "svn-build-outputs-hack" in devel/subversion-base/Makefile when | 6 | # "svn-build-outputs-hack" in devel/subversion-base/Makefile when | |
| 7 | # changing the version. | 7 | # changing the version. | |
| 8 | 8 | |||
| 9 | .if !defined(SVNVER) | 9 | .if !defined(SVNVER) | |
| 10 | SVNVER= 1.14.1 | 10 | SVNVER= 1.14.2 | |
| 11 | .endif | 11 | .endif |
| @@ -1,9 +1,9 @@ | @@ -1,9 +1,9 @@ | |||
| 1 | $NetBSD: distinfo,v 1.118 2021/10/26 10:19:57 nia Exp $ | 1 | $NetBSD: distinfo,v 1.119 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | BLAKE2s (subversion-1.14.1.tar.bz2) = af51085e4a85be8367c51e407958a56118c0bfedda1a6f77576597e092662f42 | 3 | BLAKE2s (subversion-1.14.2.tar.bz2) = efb49dfb51b3f6c51ac7fe41b3dc593efeef1f9c2fdfa51567ab3940627162ea | |
| 4 | SHA512 (subversion-1.14.1.tar.bz2) = 0a70c7152b77cdbcb810a029263e4b3240b6ef41d1c19714e793594088d3cca758d40dfbc05622a806b06463becb73207df249393924ce591026b749b875fcdd | 4 | SHA512 (subversion-1.14.2.tar.bz2) = 20ada4688ca07d9fb8da4b7d53b5084568652a3b9418c65e688886bae950a16a3ff37710fcfc9c29ef14a89e75b2ceec4e9cf35d5876a7896ebc2b512cfb9ecc | |
| 5 | Size (subversion-1.14.1.tar.bz2) = 8504612 bytes | 5 | Size (subversion-1.14.2.tar.bz2) = 8606570 bytes | |
| 6 | SHA1 (patch-Makefile.in) = 2df6c733d563c0bc7e0d1b4b6e6e00f82ea8c176 | 6 | SHA1 (patch-Makefile.in) = 2df6c733d563c0bc7e0d1b4b6e6e00f82ea8c176 | |
| 7 | SHA1 (patch-configure) = cca6c305c28005496df0913637a9eb778a846fc0 | 7 | SHA1 (patch-configure) = cca6c305c28005496df0913637a9eb778a846fc0 | |
| 8 | SHA1 (patch-subversion_bindings_swig_perl_native_Makefile.PL.in) = 3fadde312693f2a304cd7e348c66cbd373c57854 | 8 | SHA1 (patch-subversion_bindings_swig_perl_native_Makefile.PL.in) = 3fadde312693f2a304cd7e348c66cbd373c57854 | |
| 9 | SHA1 (patch-tools_dev_benchmarks_large__dirs_create__bigdir.sh) = ff19087ff4d348fdcf904eb52406f6b717fe444a | 9 | SHA1 (patch-tools_dev_benchmarks_large__dirs_create__bigdir.sh) = ff19087ff4d348fdcf904eb52406f6b717fe444a |
| @@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.129 2021/12/08 16:02:03 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.130 2022/04/12 16:24:28 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | PKGNAME= subversion-base-${SVNVER} | 3 | PKGNAME= subversion-base-${SVNVER} | |
| 4 | PKGREVISION= 3 | |||
| 5 | COMMENT= Version control system, base programs and libraries | 4 | COMMENT= Version control system, base programs and libraries | |
| 6 | 5 | |||
| 7 | # on at least solaris, configure fails to figure out | 6 | # on at least solaris, configure fails to figure out | |
| 8 | # that you need -lintl | 7 | # that you need -lintl | |
| 9 | BROKEN_GETTEXT_DETECTION= yes | 8 | BROKEN_GETTEXT_DETECTION= yes | |
| 10 | 9 | |||
| 11 | .include "../../devel/subversion/Makefile.common" | 10 | .include "../../devel/subversion/Makefile.common" | |
| 12 | 11 | |||
| 13 | USE_TOOLS+= msgfmt pkg-config | 12 | USE_TOOLS+= msgfmt pkg-config | |
| 14 | TOOLS_BROKEN+= perl | 13 | TOOLS_BROKEN+= perl | |
| 15 | 14 | |||
| 16 | CONFIGURE_ARGS+= --without-apxs | 15 | CONFIGURE_ARGS+= --without-apxs | |
| 17 | 16 |