-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:199-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : subversion Date : December 7, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in subversion: Multiple integer overflows in the libsvn_delta library in Subversion before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and remote Subversion servers to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow, a related issue to CVE-2009-2412 (CVE-2009-2411). This update provides a solution to this vulnerability and in turn upgrades subversion where possible to provide additional features and upstream bugfixes and adds required dependencies where needed. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: cd8730247a1f1b95cd6a5d0ccdb4d25e 2008.0/i586/apache-mod_dav_svn-1.4.6-0.1mdv2008.0.i586.rpm 8856d2f5d4002dcfc90bbe4d83d97467 2008.0/i586/apache-mod_dontdothat-1.4.6-0.1mdv2008.0.i586.rpm 5f827bc98c06636cc9309d870924eb00 2008.0/i586/libsvn0-1.4.6-0.1mdv2008.0.i586.rpm 8cbae8ef77447948e07a57c9f8d61264 2008.0/i586/perl-SVN-1.4.6-0.1mdv2008.0.i586.rpm 6fac9b4c061f4f4602586c986353172d 2008.0/i586/perl-SVN-devel-1.4.6-0.1mdv2008.0.i586.rpm 5e8f67c21f67b90105beaf6104bf5190 2008.0/i586/python-svn-1.4.6-0.1mdv2008.0.i586.rpm e78ecf59828acd7af3c7063526f82c76 2008.0/i586/python-svn-devel-1.4.6-0.1mdv2008.0.i586.rpm 1a7b5441ab5e443e410a9aefbc4e3435 2008.0/i586/ruby-svn-1.4.6-0.1mdv2008.0.i586.rpm 52f1007346c2911077eebccd66c5a3ef 2008.0/i586/ruby-svn-devel-1.4.6-0.1mdv2008.0.i586.rpm 3bcb28b4d850cd4675a71244fd752aef 2008.0/i586/subversion-1.4.6-0.1mdv2008.0.i586.rpm 81e05e627d9c09aaf503a45d54b636a4 2008.0/i586/subversion-devel-1.4.6-0.1mdv2008.0.i586.rpm eb5af70ee51862cde7e85e6c891175af 2008.0/i586/subversion-doc-1.4.6-0.1mdv2008.0.i586.rpm 4c45cfef462f13ba285bf68358dde747 2008.0/i586/subversion-server-1.4.6-0.1mdv2008.0.i586.rpm 1cc20e97ecc78474e3bd715efb22d9bd 2008.0/i586/subversion-tools-1.4.6-0.1mdv2008.0.i586.rpm 592799a80610eb351deb49f8bd5ea31b 2008.0/i586/svn-javahl-1.4.6-0.1mdv2008.0.i586.rpm 2e41bd21eda3a5fdce88f6ebb95550ef 2008.0/i586/svn-javahl-javadoc-1.4.6-0.1mdv2008.0.i586.rpm a7690f81b87fb9c56f6fd2656b63cc55 2008.0/SRPMS/subversion-1.4.6-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d2dc1a7c23e265921b5e83e072dcb526 2008.0/x86_64/apache-mod_dav_svn-1.4.6-0.1mdv2008.0.x86_64.rpm 1578ba8e81f5edaccb5b7480af024fa3 2008.0/x86_64/apache-mod_dontdothat-1.4.6-0.1mdv2008.0.x86_64.rpm b58016a752f50ac8aaa6d67726de623c 2008.0/x86_64/lib64svn0-1.4.6-0.1mdv2008.0.x86_64.rpm 7ca88436f8cd2bc7321e12a6a02c2824 2008.0/x86_64/perl-SVN-1.4.6-0.1mdv2008.0.x86_64.rpm e382668163319e51c4bd2d9358044398 2008.0/x86_64/perl-SVN-devel-1.4.6-0.1mdv2008.0.x86_64.rpm 90b0a44a6ab7f8e4327119c8106146fa 2008.0/x86_64/python-svn-1.4.6-0.1mdv2008.0.x86_64.rpm 3d023a5d181b7763f8ffa22cf4c719f2 2008.0/x86_64/python-svn-devel-1.4.6-0.1mdv2008.0.x86_64.rpm 7537fb41775f4a3a9ce1bcd1e7b8f864 2008.0/x86_64/ruby-svn-1.4.6-0.1mdv2008.0.x86_64.rpm 8181a0346c21330e051e6b21ff7f427d 2008.0/x86_64/ruby-svn-devel-1.4.6-0.1mdv2008.0.x86_64.rpm 40c011c5a55c79bfa511d45a70d49ca0 2008.0/x86_64/subversion-1.4.6-0.1mdv2008.0.x86_64.rpm 41e25eea5b66b9e14fcfe5da71f74b59 2008.0/x86_64/subversion-devel-1.4.6-0.1mdv2008.0.x86_64.rpm 87830dab8b9a81caa567808317eb3d4d 2008.0/x86_64/subversion-doc-1.4.6-0.1mdv2008.0.x86_64.rpm 6b5f409f5e161a511595d511ec4f98b5 2008.0/x86_64/subversion-server-1.4.6-0.1mdv2008.0.x86_64.rpm bcb8d52a88a0dc5038695619d66bcb2d 2008.0/x86_64/subversion-tools-1.4.6-0.1mdv2008.0.x86_64.rpm 466aa45fda5d8b6f5adc9cad6f82f9a1 2008.0/x86_64/svn-javahl-1.4.6-0.1mdv2008.0.x86_64.rpm d3e0dc4a1b890e198d3c20c54109435e 2008.0/x86_64/svn-javahl-javadoc-1.4.6-0.1mdv2008.0.x86_64.rpm a7690f81b87fb9c56f6fd2656b63cc55 2008.0/SRPMS/subversion-1.4.6-0.1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLHTP6mqjQ0CJFipgRAvQ7AJ49r9UXZTqBgNHXad7MN1AcYpaKFACg8F4/ R5JDcgcV6fXLLTBYOmyclZk= =RoF5 -----END PGP SIGNATURE-----