Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2015
[ANNOUNCE] Apache Subversion 1.8.19 released
14 August 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: subversion
Publisher: Apache
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-9800
Reference: ESB-2017.1985
Original Bulletin:
http://subversion.apache.org/download.cgi?update=201708081800
- --------------------------BEGIN INCLUDED TEXT--------------------
I'm happy to announce the release of Apache Subversion 1.9.7.
Please choose the mirror closest to you by visiting:
http://subversion.apache.org/download.cgi?update=201708081800#recommended-release
This is a stable security release of the Apache Subversion open source
version control system. It fixes one security issue:
CVE-2017-9800:
Arbitrary code execution on clients through malicious svn+ssh URLs in
svn:externals and svn:sync-from-url
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
The SHA1 checksums are:
874b81749cdc3e88152d103243c3623ac6338388 subversion-1.9.7.tar.bz2
1a5f48acf9d0faa60e8c7aea96a9b29ab1d4dcac subversion-1.9.7.tar.gz
741727b62596bf27f75838c46d1bb6938c83fbd7 subversion-1.9.7.zip
SHA-512 checksums are available at:
https://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.9.7.zip.sha512
PGP Signatures are available at:
http://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.asc
http://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.asc
http://www.apache.org/dist/subversion/subversion-1.9.7.zip.asc
For this release, the following people have provided PGP signatures:
Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint:
E7B2 A7F4 EC28 BE9F F8B3 8BA4 B64F FF12 09F9 FA74
Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint:
7B8C A7F6 451A D89C 8ADC 077B 376A 3CFD 110B 1C95
Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint:
E966 46BE 08C0 AF0A A0F9 0788 A5FE EE3A C793 7444
Philip Martin [2048R/76D788E1ED1A599C] with fingerprint:
A844 790F B574 3606 EE95 9207 76D7 88E1 ED1A 599C
Release notes for the 1.9.x release series may be found at:
http://subversion.apache.org/docs/release-notes/1.9.html
You can find the list of changes between 1.9.7 and earlier versions at:
http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES
Questions, comments, and bug reports to users@subversion.apache.org.
Thanks,
- - The Subversion Team
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWZEJK4x+lLeg9Ub1AQhnyA/+KBVZfQ6LxiqQHNp+pWfBgHZlgbc4eKx9
XbmQdCkLLtAvgfSBOFA63Awmpq0OuH2Di5vzZBfl18StKf6d3eCEfz/oCHvZGLff
bNfcvA5B299UKeLzM+rn+ixwDirir1vLyAhVnBII9wgTSOqE3dHk4jcA+uB5DQz8
2Ob3bM10eZ6pOICAUxa/vQXRrVDnX3EmcDAupJ6Yui5yJFzNHf3RoQx3PU9JxqsR
UUpj4FALbQ95/Ff9jjVTvz7SvA4kbN0yX9mBWrYECgJUEcEbplSuXRE/Q4IQ8hpK
0PAdv2+x/iosMOWN3Eezu9eFQlHUpQ7VBXuCfOpdD6EIXmkzXONFPFoQ95b3hmQS
dgqbuGi9AnVBptIsL3u31A2eGSs5e7GRlZErEsZMLt8oGmes2PFE5P0odTNJivcy
E/JkFYDVjXQkxMwGyX+vCg0yuu8eJsxAMM56GayHLljX+rTTzHXOGzjfa64DcI4G
qhSRuMOel7E9ysd+uDizDIo1eDh1dhIr3C1Pk1P//ddDs0yhilRZzSGZToaZrvs9
UL7TcpQo6MnQPViJQCW01CJudmjYFJHMr1EW0cumrTVG1g4y7/q33ApgLGx+xeCn
psTO1i+Hc5WjraIXljK0zCYCfsPWc7M/07deKpstvu3SpHUrqvA3N5oRn2WX7XeB
TLHouwVhSSc=
=VGym
-----END PGP SIGNATURE-----