View Cart
Login Register
Support Helpdesk | About Us | News & Events | Contact Us
Recommended Security Upgrade - Subversion version 1.6.17

Recommended Security Upgrade - Subversion version 1.6.17

On 1st June 2011 the latest Subversion 1.6 patch was released – version 1.6.17

Subversion 1.6.17 is primarily a bug fix release but is a recommended update as contains three security related fixes for the server:

CVE-2011-1752 – null-pointer dereference vulnerability

CVE-2011-1783 – memory exhaustion DoS vulnerability

CVE-2011-1921 – Unreadable files content leak

Clearvision recommend that this upgrade is performed as soon as possible especially if you have a public facing server.

Another big benefit of this release is the improvement in checkout time on Windows clients in certain scenarios. Performance benchmarks from Subversion committers show a 76% improvement in some cases.

The full list of fixes:

User-visible changes:

  • improve checkout speed on Windows (issue #3719)
  • make 'blame -g' more efficient on with large mergeinfo (r1094692)
  • avoid some invalid handle exceptions on Windows (r1095654)
  • preserve log message with a non-zero editor exit (r1072084)
  • fix FSFS cache performance on 64-bit platforms (r1103665)
  • make svn cleanup tolerate obstructed directories (r1091881)
  • fix deadlock in multithreaded servers serving FSFS repositories (r1104093)
  • detect very occasional corruption and abort commit (issue #3845)
  • fixed: file externals cause non-inheritable mergeinfo (issue #3843)
  • fixed: file externals cause mixed-revision working copies (issue #3816)
  • fix crash in mod_dav_svn with GETs of baselined resources (r1104126)
    • See CVE-2011-1752, and descriptive advisory at http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
  • fixed: write-through proxy could direcly commit to slave (r917523)
  • detect a particular corruption condition in FSFS (r1100213)
  • improve error message when clients refer to unkown revisions (r939000)
  • bugfixes and optimizations to the DAV mirroring code (r878607)
  • fixed: locked and deleted file causes tree conflict (issue #3525)
  • fixed: update touches locked file with svn:keywords property (issue #3471)
  • fix svnsync handling of directory copyfrom (issue #3641)
  • fix 'log -g' excessive duplicate output (issue #3650)
  • fix svnsync copyfrom handling bug with BDB (r1036429)
  • server-side validation of svn:mergeinfo syntax during commit (issue #3895)
  • fix remotely triggerable mod_dav_svn DoS
    • See CVE-2011-1783, and descriptive advisory at http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
  • fix potential leak of authz-protected file contents
    • See CVE-2011-1921, and descriptive advisory at http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
  • Developer-visible changes:
  • fix reporting FS-level post-commit processing errors (r1104098)
  • fix JVM recognition on OS X Snow Leopard (10.6) (r1028084)
  • allow building on Windows with recent Expat (r1074572)

You can find more information at http://subversion.apache.org/.

You can download Subversion 1.6.17 here: http://subversion.apache.org/packages.html.

You can download the Subversion Source Code here: http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=260&expandFolder=260&folderID=260.

Clearvision provide Subversion training, subversion consulting, subversion support and subversion products including our Subversion Agile Application Lifecycle Management solution AgileSCM, our Migration and Bridging tools Migrate2SVN, CMBridge and the JIRA integration product Change Integration.