diff --git a/.subversion.metadata b/.subversion.metadata index ad24608..39aa7d9 100644 --- a/.subversion.metadata +++ b/.subversion.metadata @@ -1 +1 @@ -844bb756ec505edaa12b9610832bcd21567139f1 SOURCES/subversion-1.7.13.tar.bz2 +b35254a844d0b221a3fd8e80974ac75119d77b94 SOURCES/subversion-1.7.14.tar.bz2 diff --git a/SOURCES/subversion-1.7.14-CVE-2014-0032.patch b/SOURCES/subversion-1.7.14-CVE-2014-0032.patch new file mode 100644 index 0000000..a82149b --- /dev/null +++ b/SOURCES/subversion-1.7.14-CVE-2014-0032.patch @@ -0,0 +1,33 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0032 + +http://svn.apache.org/viewvc?view=revision&revision=1558692 + +--- subversion-1.7.14/subversion/mod_dav_svn/repos.c.cve0032 ++++ subversion-1.7.14/subversion/mod_dav_svn/repos.c +@@ -1959,6 +1959,25 @@ get_resource(request_rec *r, + of private resource, iff the SVNListParentPath directive is 'on'. */ + if (dav_svn__is_parentpath_list(r)) + { ++ /* Only allow GET and HEAD on the parentpath resource ++ * httpd uses the same method_number for HEAD as GET */ ++ if (r->method_number != M_GET) ++ { ++ int status; ++ ++ /* Marshall the error back to the client by generating by ++ * way of the dav_svn__error_response_tag trick. */ ++ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, ++ SVN_ERR_APMOD_MALFORMED_URI, ++ "The URI does not contain the name " ++ "of a repository."); ++ /* can't use r->allowed since the default handler isn't called */ ++ apr_table_setn(r->headers_out, "Allow", "GET,HEAD"); ++ status = dav_svn__error_response_tag(r, err); ++ ++ return dav_push_error(r->pool, status, err->error_id, NULL, err); ++ } ++ + err = get_parentpath_resource(r, resource); + if (err) + return err; diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec index afaf535..17c2103 100644 --- a/SPECS/subversion.spec +++ b/SPECS/subversion.spec @@ -9,12 +9,6 @@ %define perl_vendorarch %(eval "`%{__perl} -V:installvendorarch`"; echo $installvendorarch) -%if 0%{?fedora} < 18 -%define dbdevel db4-devel -%else -%define dbdevel libdb-devel -%endif - %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} @@ -25,8 +19,8 @@ Summary: A Modern Concurrent Version Control System Name: subversion -Version: 1.7.13 -Release: 1%{?dist} +Version: 1.7.14 +Release: 6%{?dist} License: ASL 2.0 Group: Development/Tools URL: http://subversion.apache.org/ @@ -47,8 +41,9 @@ Patch8: subversion-1.7.4-sqlitever.patch Patch9: subversion-1.7.9-rubybind.patch Patch10: subversion-1.7.9-swighash.patch Patch11: subversion-1.7.10-aarch64.patch +Patch12: subversion-1.7.14-CVE-2014-0032.patch BuildRequires: autoconf, libtool, python, python-devel, texinfo, which -BuildRequires: %{dbdevel} >= 4.1.25, swig >= 1.3.24, gettext +BuildRequires: libdb-devel, swig >= 1.3.24, gettext BuildRequires: apr-devel >= 1.3.0, apr-util-devel >= 1.3.0 BuildRequires: neon-devel >= 0:0.24.7-1, cyrus-sasl-devel BuildRequires: sqlite-devel >= 3.4.0, file-devel, systemd-units @@ -187,6 +182,7 @@ This package includes supplementary tools for use with Subversion. %patch9 -p1 -b .rubybind %patch10 -p1 -b .swighash %patch11 -p1 -b .aarch64 +%patch12 -p1 -b .cve0032 %build # Regenerate the buildsystem, so that: @@ -478,6 +474,24 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Wed Mar 5 2014 Joe Orton - 1.7.14-6 +- drop dependency on db4-devel (#1072969) + +* Tue Feb 11 2014 Joe Orton - 1.7.14-5 +- add fix for CVE-2014-0032 + +* Fri Jan 24 2014 Daniel Mach - 1.7.14-4 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Joe Orton - 1.7.14-3 +- rebuild for #1029360 + +* Fri Dec 27 2013 Daniel Mach - 1.7.14-2 +- Mass rebuild 2013-12-27 + +* Tue Nov 26 2013 Joe Orton - 1.7.14-1 +- update to 1.7.14 (#1034377) + * Tue Sep 3 2013 Joe Orton - 1.7.13-1 - update to 1.7.13 (#1003070) - move bash completions out of /etc (#922993)