Bug#428194: CVE-2007-2448: "security flaw in 'svn prop*' commands"
Peter Samuelson
peter at p12n.org
Sat Jun 9 20:22:16 UTC 2007
[Florian Weimer]
> Subversion 1.4.4 has been released, containing some security fixes:
>
> * fixed: security flaw in 'svn prop*' commands [CVE-2007-2448]
> (r25095, -099, -104, -105, -10)
>
> I haven't yet figured out, what the exact problem is, and
> subversion.tigris.org appears to be down. Sorry.
I'm pretty sure this is Debian bug #419348. The security implication
is that a user who has SVN repository access but not shell access can
screw up a repository beyond what is usually possible, making a big
mess for someone to clean up, especially if you are using the old 'bdb'
backend. I am not sure whether that counts as a security issue that
should be fixed in sarge and etch. (After all, the user _is_ already
trusted to commit to the repository.) But if so, we have patches for
both.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-subversion-maintainers/attachments/20070609/02513c99/attachment.pgp
More information about the pkg-subversion-maintainers
mailing list