Changelog for
subversion-perl-1.10.6-lp152.2.9.1.x86_64.rpm :
* Mon Feb 08 2021 Markéta Machová
- Add subversion-CVE-2020-17525.patch (bsc#1181687, CVE-2020-17525)
* A null-pointer-dereference has been found in mod_authz_svn that results in a remote unauthenticated Denial-of-Service in some server configurations.
* Mon Oct 19 2020 Tomáš Chvátal - Enable kde integration from 15-SP3 and newer releases jsc#SLE-11654
* Fri Sep 04 2020 Antonio Larrosa - Add patch to remove dependency on kdelibs4support just to run kf5-config to find out that headers are in /usr/include and libraries are in /usr/lib(64) (jsc#SLE-11901):
* remove-kdelibs4support-dependency.patch
* Thu Jul 25 2019 Tomáš Chvátal - Update to 1.10.6 bsc#1142743 bsc#1142721 CVE-2018-11782 CVE-2019-0203:
* Allow the use of empty groups in authz rules. (r1854883)
* Fix conflict resolver case with move vs move conflicts. (r1863297)
* Fix #4760: Missing children in svnadmin dump --include/exclude. (r1863298)
* Fix #4793: authz rights from inverted access selectors. (r1854882)
* Fix conflict resolver bug: local and incoming edits swapped. (r1863300)
* Fix #4806: Remove on-disk trees with read-only dirs. (r1863299)
* Fix memory lifetime problem in a libsvn_wc error code path. (r1863302)
* No tree conflict when \'svn up\' deletes unmodified dir with unversioned items. (r1863296)
* Remove a useless common ancestor search from conflict resolver. (r1863294)
* Conflict resolver support for added vs unversioned file (r1845577)
* Conflict resolver support for unversioned directories (r1846299)
* Fix: repos-to-WC copy with --parents doesn\'t create dirs (#4768)
* Fix: foreign repo copy with peg/operative revisions (#4785)
* Fix: foreign repo copy of file adding mergeinfo (#4792)
* Fix: assertion failure using -rPREV on a working copy at r0 (#4532)
* Fix: tree conflict message ends a sentence with a colon (#4717)
* Fix CVE-2018-11803: malicious SVN clients can crash mod_dav_svn
* Fix: unexpected SVN_ERR_FS_NOT_DIRECTORY errors (#4791)
* Fix: mod_dav_svn\'s SVNUseUTF8 had no effect in some setups (r1844882)
* Fix crash in mod_http2 (#4782)
* Store the HTTPS client cert password (r1842578)
* Fix shelving when custom diff command is configured (issue #4758)
* Fix conflict resolver crashes (issue #4744, r1842581, r1842582, r1842583)
* Fix conflict resolver endless scan in some cases (r1842586)
* Fix \"Accept incoming deletion\" on locally deleted file (issue #4739)
* Fix \"resolver adds unrelated moves to move target list\" (issue #4766)
* Correctly claim to offer Gnome Keyring support with libsecret (r1831142)
* Fix segfault using Gnome Keyring with libsecret (r1835782)
* Fix JavaHL local refs capacity warning when unparsing externals (r1831143)
* Since on Windows Subversion does not handle symlinks, never check for reparse points (r1835701)
* Prune externals after \'update --set-depth=exclude\' (r1835702)
* Fix issue #4740, \"conflict resolver searches too far back ...\" (r1835703)- Remove merged patch subversion-CVE-2018-11803.patch- Remove merged patch subversion-1.10.0-fix-svn-version-gnome-keyring.patch- Refresh patch subversion-no-build-date.patch
* Wed Jan 23 2019 Karol Babioch - Added subversion-CVE-2018-11803.patch: Fixed a vulnerability that allowed malicious SVN clients to trigger a crash in mod_dav_svn by omitting the root path from a recursive directory listing request (CVE-2018-11803 bsc#1122842)
* Sun Apr 15 2018 astiegerAATTsuse.com- Apache Subversion 1.10.0:
* new conflict resolver
* Many bug fixes and enhancements
* lz4 compression for the repositories
* https://subversion.apache.org/docs/release-notes/1.10.html- Packaging changes;
* Convert dependencies to pkgconfig counterparts
* Add dependency on liblz4 and utf8proc
* Use %license (boo#1082318)
* build with KDE5 KWallet support- Refresh patches:
* subversion-1.8.0-rpath.patch
* subversion-no-build-date.patch
* subversion-fix-parallel-build-support-for-perl-bindings.patch
* subversion-perl-underlinking.patch- dropped patches:
* subversion-1.8.11-autocheck-time.patch, upstream
* subversion-1.9.0-allow-httpd-2.4.6.patch, no longer required- Add subversion-1.10.0-fix-svn-version-gnome-keyring.patch to list GNOME keyring support in svn --version when using libsecret
* Tue Dec 19 2017 fstrbaAATTsuse.com- BuildConflict with jdk10 or higher. The build uses extensively the javah tool which is removed in jdk10.
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Wed Nov 01 2017 mpluskalAATTsuse.com- Explicitly require python2
* Mon Oct 09 2017 vcizekAATTsuse.com- Disable kwallet support on openSUSE built with openssl 1.1, because otherwise the libopenssl pulled in by libserf and libqt4 create a conflict (boo#1042629)
* Fri Aug 25 2017 tchvatalAATTsuse.com- Switch the KDE condition to match sle15 too
* Fri Aug 11 2017 tchvatalAATTsuse.com- Remove user changing option inherited from sysconfig from README
* Was removed as it does not work on systemd, new section is there describing current approach
* Thu Aug 10 2017 astiegerAATTsuse.com- Apache Subversion 1.9.7:
* CVE-2017-9800: A remote attacker could have caused svn clients to execute arbitrary code via specially crafted URLs in svn:externals and svn:sync-from-url properties. (bsc#1051362)
* Fri Jul 28 2017 astiegerAATTsuse.com- Add instructions for running svnserve as a user different from \"svn\", and remove sysconfig variables that are no longer effective with the systemd unit. bsc#1049448
* Fri Jul 07 2017 astiegerAATTsuse.com- Apache Subversion 1.9.6 (bsc#1026936): This change makes Subversion resilient to collision attacks, including SHA-1 collision attacks such as . https://subversion.apache.org/faq#shattered-sha1
* fsfs: never attempt to share directory representations
* fsfs: make consistency independent of hash algorithms
* cp/mv: improve error message when target is an unversioned dir
* merge: reduce memory usage with large amounts of mergeinfo
* \'svnadmin freeze\': document the purpose more clearly
* dump: fix segfault when a revision has no revprops
* fsfs: improve error message upon failure to open rep-cache
* work around an APR bug related to file truncation
* javahl: follow redirects when opening a connection
* Thu Jun 15 2017 nmoudraAATTsuse.com- Deleted all xinetd related entries as it is not desired anymore
* its obsolete due to socket based service
* socket based service is not needed at this pkg
* Mon Mar 13 2017 tchvatalAATTsuse.com- Update to build with new RPM in Factory- Provide the kwallet auth in main pkg in case kde integration is disabled- Use apache2-rpm-macros to get the apache variables
* Wed Nov 30 2016 tchvatalAATTsuse.com- Version update to 1.9.5:
* bsc#1011552 CVE-2016-8734 Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://- Client-side bugfixes:
* fix accessing non-existent paths during reintegrate merge (r1766699 et al)
* fix handling of newly secured subdirectories in working copy (r1724448)
* info: remove trailing whitespace in --show-item=revision (issue #4660)
* fix recording wrong revisions for tree conflicts (r1734106)
* gpg-agent: improve discovery of gpg-agent sockets (r1766327)
* gpg-agent: fix file descriptor leak (r1766323)
* resolve: fix --accept=mine-full for binary files (issue #4647)
* merge: fix possible crash (issue #4652)
* resolve: fix possible crash (r1748514)
* fix potential crash in Win32 crash reporter (r1663253 et al)- Server-side bugfixes:
* fsfs: fix \"offset too large\" error during pack (issue #4657)
* svnserve: enable hook script environments (r1769152)
* fsfs: fix possible data reconstruction error (issue #4658)
* fix source of spurious \'incoming edit\' tree conflicts (r1770108)
* fsfs: improve caching for large directories (r1721285)
* fsfs: fix crash when encountering all-zero checksums (r1759686)
* fsfs: fix potential source of repository corruptions (r1756266)
* mod_dav_svn: fix excessive memory usage with mod_headers/mod_deflate (issue #3084)
* mod_dav_svn: reduce memory usage during GET requests (r1757529 et al)
* fsfs: fix unexpected \"database is locked\" errors (r1741096 et al)
* fsfs: fix opening old repositories without db/format files (r1720015)- Client-side and server-side bugfixes:
* fix possible crash when reading invalid configuration files (r1715777)- Bindings bugfixes:
* swig-pl: do not corrupt \"{DATE}\" revision variable (r1767768)
* javahl: fix temporary accepting SSL server certificates (r1764851)
* swig-pl: fix possible stack corruption (r1683266, r1683267)- Drop no longer needed patch:
* subversion-1.8.11-swig-py-comment-3.patch
* Wed Jun 29 2016 tchvatalAATTsuse.com- Drop syslog.target from After wrt bnc#983938
* Thu Apr 28 2016 astiegerAATTsuse.com- Apache Subversion 1.9.4, fixing two server-side vulnerabilities:
* CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm (boo#976849)
* CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn during COPY/MOVE authorization check (boo#976850)- Client-side bugfixes:
* diff: support \'--summarize --ignore-properties\'
* checkout: fix performance regression on NFS
* gpg-agent: properly handle passwords with percent characters
* svn-graph.pl: fix assertion about a non-canonical path
* hot-backup.py: better input validation
* commit: abort on Ctrl-C in plaintext password prompt
* diff: produce proper forward binary diffs with --git
* ra_serf: fix deleting directories with many files- Server-side bugfixes:
* improve documentation for AuthzSVNGroupsFile and groups-db
* fsfs: reduce peak memory usage when listing large directories
* fsfs: fix a rare source of incomplete dump files and reports- Client-side and server-side bugfixes:
* update INSTALL documentation file
* fix potential memory access bugs
* fix potential out of bounds read in svn_repos_get_logs5()- Bindings bugfixes:
* ignore absent nodes in javahl version of svn status -u- API changes:
* properly interpret parameters in svn_wc_get_diff_editor6()
* Wed Mar 02 2016 astiegerAATTsuse.com- make the subversion package conflict with KWallet and Gnome Keyring packages with do not require matching subversion versions in SLE 12 and openSUSE Leap 42.1 and thus break the main package upon partial upgrade. Fix/workaround for boo#969159
* Tue Dec 15 2015 astiegerAATTsuse.com- Apache Subversion 1.9.3 This release fixes two security issues:
* Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser. CVE-2015-5259 [boo#958299]
* Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel- encoded request bodies. CVE-2015-5343 [boo#958300] Other changes:
* svn: fix possible crash in auth credentials cache
* cleanup: avoid unneeded memory growth during pristine cleanup
* diff: fix crash when repository is on server root
* fix translations for commit notifications
* ra_serf: fix crash in multistatus parser
* svn: report lock/unlock errors as failures
* svn: cleanup user deleted external registrations
* svn: allow simple resolving of binary file text conflicts
* svnlook: properly remove tempfiles on diff errors
* ra_serf: report built- and run-time versions of libserf
* ra_serf: set Content-Type header in outgoing requests
* svn: fix merging deletes of svn:eol-style CRLF/CR files
* ra_local: disable zero-copy code path
* mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm
* mod_dav_svn: fix display of process ID in cache statistics
* mod_dav_svn: use LimitXMLRequestBody for skel-encoded requests
* svnadmin dump: preserve no-op changes
* fsfs: avoid unneeded I/O when opening transactions
* javahl: fix ABI incompatibilty with 1.8
* javahl: allow non-absolute paths in SVNClient.vacuum
* fix patch filter invocation in svn_client_patch()
* add AATTsince information to config defines
* fix running the tests in compatibility mode
* clarify documentation of svn_fs_node_created_rev()
* fix overflow detection in svn_stringbuf_remove and _replace
* don\'t ignore some of the parameters to svn_ra_svn_create_conn3
* Wed Oct 28 2015 astiegerAATTsuse.com- Fix copy-and-paste error in Supplements for GNOME keyring integration
* Wed Sep 23 2015 astiegerAATTsuse.com- Apache Subversion 1.9.2:
* fix a numer of client-side crashes and bugs
* checkout: remove unnecessary I/O operation
* svn: show utf8proc version in svn --version --verbose
* fix reporting for empty representations in svnfsfs stats- upstream keyring updated
* Thu Sep 03 2015 astiegerAATTsuse.com- Apache Subversion 1.9.1:
* Fix crash with GPG-agent with non-canonical $HOME
* svn: expose expat and zlib versions in svn --version --verbose
* svn: improve help text for \'svn info --show-item\'
* svnserve: fixed minor typo in help text
* Fix an error leak in FSFS verification
* Fix incomplete membuffer cache initialization
* svnfsfs: fix some bugs and inconsistencies in load-index
* Fix memory corruption in copy source SWIG bindings- drop subversion-1.8.14-httpd-version-number-detection.patch, change is upstream- adjust subversion-1.9.0-allow-httpd-2.4.6.patch for upstream changes
* Mon Aug 24 2015 tchvatalAATTsuse.com- Remove support for SLE11 from the spec file- Use supplements instead of suggests on the other side for the password store- Fix kde integration conditional to work nicely on openSUSE Leap
* Mon Aug 24 2015 tchvatalAATTsuse.com- Use suggests instead of recommends to avoid 180+ new pkgs on minimal setup due subversion-password-store bnc#942819
* Tue Aug 11 2015 astiegerAATTsuse.com- Apache Subversion 1.9.0:
* new FSFS format 7 with major overhaul for I/O reduction
* prospective blame
* FSX experimental repository back-end
* many enhangements and bug fixes- subversion-devel now ships pkgconfig files- dependency changes:
* serf 1.3.4
* apr, apr-utl 1.3.x
* httpd 2.2.x
* java 1.6
* Python 2.7- To continue to allow building against blacklisted httpd 2.4.6 which has the required patches in openSUSE:13.1:Update, update subversion-1.8.9-allow-httpd-2.4.6.patch to subversion-1.9.0-allow-httpd-2.4.6.patch- removed upstreamed patches:
* subversion-1.8.10-fix-bashisms.patch
* subversion-1.8.11-swig-py-comment.patch
* subversion-1.8.11-swig-py-comment-2.patch- adjust subversion-no-build-date.patch- drop subversion-1.8.14-unused-var-authnrequired.patch
* Thu Aug 06 2015 stspAATTelego.de- Pass --enable-broken-httpd-auth to configure. Assumes all apache2 packages contain security patches regardless of their version number. Should fix the build on SLES12 and perhaps elsewhere.
* Thu Aug 06 2015 stspAATTelego.de- fix mod_authz_svn build with -Wunused-variable
* subversion-1.8.14-unused-var-authnrequired.patch
* Thu Aug 06 2015 stspAATTelego.de- Apache Subversion 1.8.14 This release fixes two vulnerabilities:
* mod_authz_svn: do not leak information in mixed anonymous/authenticated httpd (dav) configurations (CVE-2015-3184) bnc#939514
* do not leak paths that were hidden by path-based authz (CVE-2015-3187) bnc#939517 Non-security fixes:
* document svn:autoprops
* fix \'svn cp ^/A/D/HAATT1 ^/A\' to properly create A
* improve conflict prompts for binary files
* improve performance of \'ls -v\'
* improved Sqlite 3.8.9 query performance
* fixed issue #4580: \'svn -v st\' on file externals reports \"?\" for user/rev
* mod_dav_svn: do not ignore skel parsing errors
* detect invalid svndiff data earlier
* prevent possible repository corruption on power/disk failures
* fixed issue #4577: Read error with some repository nodes
* fixed issue #4531: server-side copy (over dav) is slow
* swig-pl: fix some stack memory problems- Refreshed patch subversion-no-build-date.patch- Remove obsoleted patch subversion-1.8.13-fix-sqlite-3.8.9-tests.patch- Add patch subversion-1.8.14-httpd-version-number-detection.patch
* Sat May 16 2015 astiegerAATTsuse.com- disable failing check-swig-rb
* Thu Apr 09 2015 astiegerAATTsuse.com- fix tests with SQLite 3.8.9, adding subversion-1.8.13-fix-sqlite-3.8.9-tests.patch
* Tue Mar 31 2015 astiegerAATTsuse.com- Apache Subversion 1.8.13 This release fixes three vulerabilities:
* Subversion HTTP servers with FSFS repositories were vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. (bsc#923793 CVE-2015-0202)
* Subversion mod_dav_svn and svnserve were vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. (bsc#923794 CVE-2015-0248)
* Subversion HTTP servers allow spoofing svn:author property values for new revisions (bsc#923795 CVE-2015-0251)- Non-security updates:
* fixes number of client and server side non-security bugs
* improved working copy performanc
* reduction of resource use
* stability improvements
* usability improvements- 1.8.12 was not released
* Fri Mar 20 2015 astiegerAATTsuse.com- Improve installation of secure password storage plugins for KWallet and GNOME Keyring- Recommend installation of bash completion
* Tue Mar 10 2015 astiegerAATTsuse.com- Fix running all regression tests with davautocheck.sh and svnserveautocheck.sh when time is a shell built-in but not a command: add subversion-1.8.11-autocheck-time.patch
* Wed Mar 04 2015 astiegerAATTsuse.com- fix sample configuration comments in subversion.conf [boo#916286]
* Mon Mar 02 2015 astiegerAATTsuse.com- SLE 11 SP3 build with all regression tests- run swig-py tests where they pass
* Fri Feb 20 2015 astiegerAATTsuse.com- fix build with swig 3.0.3 and later:
* upstream subversion-1.8.11-swig-py-comment.patch
* upstream subversion-1.8.11-swig-py-comment-2.patch
* partial subversion-1.8.11-swig-py-comment-3.patch There remains a regression in swig 3.0.3 and later which causes check-swig-py to fail - disable these checks.
* Thu Jan 08 2015 bwiedemannAATTsuse.com- fix sysconfig file generation (bnc#911620)
* Thu Dec 18 2014 andreas.stiegerAATTgmx.de- Apache Subversion 1.8.11- This release addresses two security issues: [boo#909935]
* CVE-2014-3580: mod_dav_svn DoS from invalid REPORT requests.
* CVE-2014-8108: mod_dav_svn DoS from use of invalid transaction names.- Client-side bugfixes:
* checkout/update: fix file externals failing to follow history and subsequently silently failing
* patch: don\'t skip targets in valid --git difs
* diff: make property output in diffs stable
* diff: fix diff of local copied directory with props
* diff: fix changelist filter for repos-WC and WC-WC
* remove broken conflict resolver menu options that always error out
* improve gpg-agent support
* fix crash in eclipse IDE with GNOME Keyring
* fix externals shadowing a versioned directory
* fix problems working on unix file systems that don\'t support permissions
* upgrade: keep external registrations
* cleanup: iprove performance of recorded timestamp fixups
* translation updates for German- Server-side bugfixes:
* disable revprop caching feature due to cache invalidation problems
* skip generating uniquifiers if rep-sharing is not supported
* mod_dav_svn: reject requests with missing repository paths
* mod_dav_svn: reject requests with invalid virtual transaction names
* mod_dav_svn: avoid unneeded memory growth in resource walking
* Thu Nov 20 2014 Led - fix bashisms in mailer-init.sh script- add patches:
* subversion-1.8.10-fix-bashisms.patch
* Sat Nov 01 2014 andreas.stiegerAATTgmx.de- Add a versioned runtime requirement for sqlite and pass it to configure via --enable-sqlite-compatibility-version to allow running with sqlite older than at build time but compatible.- make build with KDE / WKallet optional to fix build with SLE 12