This post is from the CollabNet VersionOne blog and has not been updated since the original publish date.
New Subversion Release Includes Several Security Fixes
Apache Subversion 1.7.9 and 1.6.21 have been released. Among the normal set of bug fixes in the release are several fixes for security vulnerabilities. A list of all of the vulnerabilities and their details are available on the Subversion security page:
I would encourage you to read the details of each vulnerability so that you can assess the risk for your environment. My take on these items is that they are all on the Low/Medium end of the spectrum. There are not any of the higher risk vulnerabilities such as arbitrary code execution or privilege escalation included. Generally speaking, all of the fixes are for exploits where an attacker could send a request to your Apache Subversion server that causes the worker process to crash. If enough of these requests are being sent to a server it can create a Denial of Service situation. Fortunately, most of the exploits require authenticated access (and typically also commit access) so in general most servers which require login or are not exposed to the Internet are relatively safe. Of course it is still a good idea to update your server to the latest version as these are not the only fixes in the release. A complete list of all changes are in the CHANGES file.
If you are using Subversion Edge on your server, you are in luck. We have posted the Subversion Edge 3.3.0 release which includes Apache Subversion 1.7.9 along with many other new features and improvements. You can see a full list of what is in this release here. Subversion Edge users can update directly from within the web console by clicking on the Software Updates section. It has been several months since our last release of Subversion Edge so there are a lot of nice improvements that users have requested. I would encourage all users to update to this version as soon as convenient.
Client and server binaries for Subversion 1.7.9 are also available for download. We will be posting our binaries for Subversion 1.6.21 as they complete our qualification process.
* Apache, Apache Subversion and the Subversion logo are trademarks of the Apache Software Foundation. Subversion® is a registered trademark of the Apache Software Foundation.