subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmpil...@apache.org
Subject svn commit: r899813 - in /subversion/site/publish: security.html security/index.html
Date Fri, 15 Jan 2010 21:03:22 GMT
Author: cmpilato
Date: Fri Jan 15 21:03:21 2010
New Revision: 899813

URL: http://svn.apache.org/viewvc?rev=899813&view=rev
Log:
Dance in the spirit of hierarchy.

* site/publish/security.html
  Move this...

* site/publish/security/index.html
  ...to here, with content tweaks, and with a section which lists
  previous advisories.

Added:
    subversion/site/publish/security/index.html
      - copied, changed from r899812, subversion/site/publish/security.html
Removed:
    subversion/site/publish/security.html

Copied: subversion/site/publish/security/index.html (from r899812, subversion/site/publish/security.html)
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?p2=subversion/site/publish/security/index.html&p1=subversion/site/publish/security.html&r1=899812&r2=899813&rev=899813&view=diff
==============================================================================
--- subversion/site/publish/security.html (original)
+++ subversion/site/publish/security/index.html Fri Jan 15 21:03:21 2010
@@ -14,11 +14,12 @@
 <!--#include virtual="/site-nav.html" -->
 <div id="site-content">
 <!--#include virtual="/site-notice.html" -->
+<!-- **************** BEGIN CONTENT ***************** -->
 
-<h2>Subversion Security</h2>
+<h1>Subversion Security</h1>
 
 <p>If you discover a security vulnerability in Subversion, please
-email this address (which is not hosted at tigris.org due to the need
+email this address (which is not hosted at Tigris.org due to the need
 for complete privacy):</p>
 
 <!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
@@ -31,37 +32,89 @@
 
 <p>It is safe to send sensitive reports to this address: list
 membership is controlled, and the archives are not publicly
-accessible.  We will analyze your report and take appropriate action.
-Our usual procedure is to</p>
+accessible.  <strong style="color: red">Please do not reproduce the
+above email address on other web pages or in public postings.</strong>
+Due to the need for responsiveness, the security list is unmoderated,
+which makes it particularly vulnerable to spammers.  We want to avoid
+changing the list address, because it's good to have a consistent,
+dependable place to report security holes.  We've taken steps to make
+the address above less likely to be harvested by spammers, but your
+assistance here in this matter is critical.</p>
+
+<h2>Security Prodecure</h2>
+
+<p>We take security very seriously.  Upon receiving your report at the
+above email address, we will do the following:
 
 <ol>
+   <li>Analyze your report.</li>
+
    <li>Make a fix for the vulnerability.</li>
 
    <li>Discreetly distribute the fix to a few large sites that run
    Subversion servers and are trusted to be discreet themselves.</li>
 
-   <li>Release a new version of Subversion (containing just that fix)
-   and publicly announce the vulnerability on the same day.</li>
+   <li>Simultaneously release a new version of Subversion (containing
+   just that fix) and publicly announce the vulnerability it
+   fixes.</li>
 </ol>
 
 <p>This procedure may vary depending on the nature of the
 vulnerability and the degree of pre-existing public awareness, of
 course.</p>
 
-<p><span style="color: red"><i>Please do not reproduce the above email
-address on other web pages or in public postings.</i></span> Due to
-the need for responsiveness, the security list is unmoderated, which
-makes it particularly vulnerable to spammers.  We want to avoid
-changing the list address, because it's good to have a consistent,
-dependable place to report security holes.</p>
+<h2>Previous Security Advisories</h2>
+
+<p>The following are a list of past security advisories issued by the
+Subversion project.</p>
 
-<p>On this page, the address has been encoded in various ways to
-reduce the likelihood of a spam harvester noticing it.  But if the
-address starts appearing in other places on the Internet, then the
-harvesters will inevitably pick it up, and we'll be stuck wading
-through ever-increasing amounts of spam, trying not to lose important
-vulnerability reports in the noise.</p>
+<table cellpadding="0" cellspacing="0">
+<thead>
+<tr>
+<th>Document</th>
+<th>Version(s)</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><a href="svn-sscanf-advisory.txt">svn-sscanf-advisory.txt</a></td>
+<td>1.0.0-1.0.2</td>
+<td>Date parser buffer overflow.</td>
+</tr>
+<tr>
+<td><a href="CAN-2004-0413-advisory.txt">CAN-2004-0413-advisory.txt</a></td>
+<td>1.0.0-1.0.4</td>
+<td>Denial of Service and Heap Overflow issue related to string parsing in svnserve</td>
+</tr>
+<tr>
+<td><a href="mod_authz_svn-copy-advisory.txt">mod_authz_svn-copy-advisory.txt</a></td>
+<td>1.0.0-1.0.5</td>
+<td>mod_authz_svn exposure of unreadable paths via deep copy to readable location.</td>
+</tr>
+<tr>
+<td><a href="CAN-2004-0749-advisory.txt">CAN-2004-0749-advisory.txt</a></td>
+<td>1.0.0-1.0.7,1.1.0-rcX</td>
+<td>Revision metadata leakage in mod_dav_svn.</td>
+</tr>
+<tr>
+<td><a href="CVE-2007-2448-advisory.txt">CVE-2007-2448-advisory.txt</a></td>
+<td>1.0.1-1.4.3</td>
+<td>Revision metadata leakage via 'svn prop*' commands.</td>
+</tr>
+<tr>
+<td><a href="CVE-2007-3846-advisory.txt">CVE-2007-3846-advisory.txt</a></td>
+<td>1.0.0-1.4.4</td>
+<td>Remote file delivery and installation via path mis-handling.</td>
+</tr>
+<tr>
+<td><a href="CVE-2009-2411-advisory.txt">CVE-2009-2411-advisory.txt</a></td>
+<td>1.0.0-1.6.3</td>
+<td>Heap Overflow in binary delta parser.</td>
+</tr>
+</table>
 
-</div>
+<!-- ***************** END CONTENT ****************** -->
+</div> <!-- #site-content -->
 </body>
 </html>



Mime
View raw message