subversion: fix CVE-2015-3187

The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path. Patch is from: http://subversion.apache.org/security/CVE-2015-3187-advisory.txt (From OE-Core master rev: 6da25614edcad30fdb4bea8ff47b81ff81cdaed2) (From OE-Core rev: e1e277bf51c6f00268358f6bf8623261b1b9bc22) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Wenzong Fan <wenzong.fan@windriver.com> 2015-11-17 00:38:42 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-12-08 10:27:15 +0000
commit: 0cb2fa5f73a2ad2dcfbfdf0337ba293880eea0a8 (patch)
tree: 32ff6bdaf49f2747f4e8535dc55c1a7521cf5466 /meta/recipes-devtools/subversion/subversion_1.8.13.bb
parent: 5b52e9b086bd57fe6207771b7deb9092865a64b2 (diff)
download: poky-0cb2fa5f73a2ad2dcfbfdf0337ba293880eea0a8.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.13.bb b/meta/recipes-devtools/subversion/subversion_1.8.13.bb
index 9505247be5..68934b7e02 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.13.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.13.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://disable_macos.patch \
           file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
           file://subversion-CVE-2015-3184.patch \
+           file://subversion-CVE-2015-3187.patch \
 "
 SRC_URI[md5sum] = "4413417b529d7bdf82f74e50df02e88b"
 SRC_URI[sha256sum] = "1099cc68840753b48aedb3a27ebd1e2afbcc84ddb871412e5d500e843d607579"
author	Wenzong Fan <wenzong.fan@windriver.com>	2015-11-17 00:38:42 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-12-08 10:27:15 +0000
commit	0cb2fa5f73a2ad2dcfbfdf0337ba293880eea0a8 (patch)
tree	32ff6bdaf49f2747f4e8535dc55c1a7521cf5466 /meta/recipes-devtools/subversion/subversion_1.8.13.bb
parent	5b52e9b086bd57fe6207771b7deb9092865a64b2 (diff)
download	poky-0cb2fa5f73a2ad2dcfbfdf0337ba293880eea0a8.tar.gz

diff --git a/meta/recipes-devtools/subversion/subversion_1.8.13.bb b/meta/recipes-devtools/subversion/subversion_1.8.13.bb index 9505247be5..68934b7e02 100644 --- a/meta/recipes-devtools/subversion/subversion_1.8.13.bb +++ b/meta/recipes-devtools/subversion/subversion_1.8.13.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15	file://disable_macos.patch \	15	file://disable_macos.patch \
16	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \	16	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
17	file://subversion-CVE-2015-3184.patch \	17	file://subversion-CVE-2015-3184.patch \
		18	file://subversion-CVE-2015-3187.patch \
18	"	19	"
19	SRC_URI[md5sum] = "4413417b529d7bdf82f74e50df02e88b"	20	SRC_URI[md5sum] = "4413417b529d7bdf82f74e50df02e88b"
20	SRC_URI[sha256sum] = "1099cc68840753b48aedb3a27ebd1e2afbcc84ddb871412e5d500e843d607579"	21	SRC_URI[sha256sum] = "1099cc68840753b48aedb3a27ebd1e2afbcc84ddb871412e5d500e843d607579"