An update for subversion is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1647 Final 1.0 1.0 2022-05-11 Initial 2022-05-11 2022-05-11 openEuler SA Tool V1.0 2022-05-11 subversion security update An update for subversion is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. Subversion exists to be universally recognized and adopted as an open-source, centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage; and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations. Security Fix(es): Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal copyfrom paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the copyfrom path of the original. This also reveals the fact that the node was copied. Only the copyfrom path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.(CVE-2021-28544) Subversion s mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.(CVE-2022-24070) An update for subversion is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High subversion https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1647 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-28544 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24070 https://nvd.nist.gov/vuln/detail/CVE-2021-28544 https://nvd.nist.gov/vuln/detail/CVE-2022-24070 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS perl-subversion-1.12.2-4.oe1.aarch64.rpm python3-subversion-1.12.2-4.oe1.aarch64.rpm ruby-subversion-1.12.2-4.oe1.aarch64.rpm subversion-1.12.2-4.oe1.aarch64.rpm subversion-debuginfo-1.12.2-4.oe1.aarch64.rpm subversion-debugsource-1.12.2-4.oe1.aarch64.rpm subversion-devel-1.12.2-4.oe1.aarch64.rpm perl-subversion-1.12.2-4.oe1.aarch64.rpm python3-subversion-1.12.2-4.oe1.aarch64.rpm ruby-subversion-1.12.2-4.oe1.aarch64.rpm subversion-1.12.2-4.oe1.aarch64.rpm subversion-debuginfo-1.12.2-4.oe1.aarch64.rpm subversion-debugsource-1.12.2-4.oe1.aarch64.rpm subversion-devel-1.12.2-4.oe1.aarch64.rpm perl-subversion-1.14.1-2.oe2203.aarch64.rpm python3-subversion-1.14.1-2.oe2203.aarch64.rpm ruby-subversion-1.14.1-2.oe2203.aarch64.rpm subversion-1.14.1-2.oe2203.aarch64.rpm subversion-debuginfo-1.14.1-2.oe2203.aarch64.rpm subversion-debugsource-1.14.1-2.oe2203.aarch64.rpm subversion-devel-1.14.1-2.oe2203.aarch64.rpm subversion-help-1.12.2-4.oe1.noarch.rpm subversion-help-1.12.2-4.oe1.noarch.rpm subversion-help-1.14.1-2.oe2203.noarch.rpm subversion-1.12.2-4.oe1.src.rpm subversion-1.12.2-4.oe1.src.rpm subversion-1.14.1-2.oe2203.src.rpm perl-subversion-1.12.2-4.oe1.x86_64.rpm python3-subversion-1.12.2-4.oe1.x86_64.rpm ruby-subversion-1.12.2-4.oe1.x86_64.rpm subversion-1.12.2-4.oe1.x86_64.rpm subversion-debuginfo-1.12.2-4.oe1.x86_64.rpm subversion-debugsource-1.12.2-4.oe1.x86_64.rpm subversion-devel-1.12.2-4.oe1.x86_64.rpm perl-subversion-1.12.2-4.oe1.x86_64.rpm python3-subversion-1.12.2-4.oe1.x86_64.rpm ruby-subversion-1.12.2-4.oe1.x86_64.rpm subversion-1.12.2-4.oe1.x86_64.rpm subversion-debuginfo-1.12.2-4.oe1.x86_64.rpm subversion-debugsource-1.12.2-4.oe1.x86_64.rpm subversion-devel-1.12.2-4.oe1.x86_64.rpm perl-subversion-1.14.1-2.oe2203.x86_64.rpm python3-subversion-1.14.1-2.oe2203.x86_64.rpm ruby-subversion-1.14.1-2.oe2203.x86_64.rpm subversion-1.14.1-2.oe2203.x86_64.rpm subversion-debuginfo-1.14.1-2.oe2203.x86_64.rpm subversion-debugsource-1.14.1-2.oe2203.x86_64.rpm subversion-devel-1.14.1-2.oe2203.x86_64.rpm Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal copyfrom paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the copyfrom path of the original. This also reveals the fact that the node was copied. Only the copyfrom path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. 2022-05-11 CVE-2021-28544 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N subversion security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1647 Subversion s mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. 2022-05-11 CVE-2022-24070 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H subversion security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1647