Subversion 1.6.4 has been released to fix a vulnerability.
Version 1.6.4
(06 Aug 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.4
User-visible changes:
* fixed: heap overflow vulnerability on server and client
See CVE-2009-2411, and descriptive advisory at
http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
More details below.
Subversion 1.6.4 has been released, available from:
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.bz2
http://subversion.tigris.org/downloads/subversion-1.6.4.tar.gz
http://subversion.tigris.org/downloads/subversion-1.6.4.zip
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.bz2
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.gz
http://subversion.tigris.org/downloads/subversion-deps-1.6.4.zip
THIS IS A SECURITY RELEASE, addressing the issue
described at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2411
The CVE page may not be public yet when you read this,
but will be soon.
The full text of the advisory is available at:
http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
This security issue affects both clients and
servers. Clients with commit access to a
vulnerable server can cause a remote heap overflow. Servers can cause a heap overflow on vulnerable
clients that try to do a checkout or update.
Subversion 1.6.4 differs from 1.6.4 only in the fix for this issue. Upgrading to Subversion 1.6.4 (or Subversion
1.5.7, released
simultaneously) is therefore strongly recommended for
Subversion client and server installations on all platforms.
Release notes for the 1.6.x release series may be found
at:
http://subversion.tigris.org/svn_1.6_releasenotes.html
You can find the list of changes between 1.6.4 and
earlier versions at:
http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES
