- update devel/subversion to 1.8.3 [1]

- update devel/subversion17 to 1.7.13	[1]
- add vuxml entry

Version 1.7.13
(29 Aug 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES

User-visible changes:
 - General
   * merge: fix bogus mergeinfo with conflicting file merges (issue #4306)
   * diff: fix duplicated path component in '--summarize' output (issue #4408)
   * ra_serf: ignore case when checking certificate common names (r1514763)

 - Server-side bugfixes:
   * svnserve: fix creation of pid files (r1516556)
   * mod_dav_svn: better status codes for commit failures (r1490684)
   * mod_dav_svn: do not map requests to filesystem (r1512432 et al)

Developer-visible changes:
 - General:
   * support linking against gssapi on Solaris 10 (r1515068)
   * don't use uninitialized variable to produce an error code (r1482282)

 - Bindings:
   * swig-pl: fix SVN::Client not honoring config file settings (r150744)
   * swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)

Version 1.8.3
(29 August 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES

User-visible changes:
 - Client- and server-side bugfixes:
   * translation updates for Swedish
   * enforce strict version equality between tools and libraries (r1502267)
   * consistently output revisions as "r%ld" in error messags (r1499044 et al)

 - Client-side bugfixes:
   * status: always use absolute paths in XML output (issue #4398)
   * ra_serf: 'svn log -v' fails with a 1.2.x server (issue #4044)
   * ra_serf: fix crash when committing cp with deep deletion (issue #4400)
   * diff: issue an error for files that can't fit in memory (r1513119 et al)
   * svnmucc: generate proper error for mismatched URLs (r1511353)
   * update: fix a crash when a temp file doesn't exist (r1513156)
   * commit & update: improve sleep for timestamps performance (r1508438)
   * diff: continue on missing or obstructing files (issue #4396)
   * ra_serf: use runtime serf version for User-Agent (r1514315, r1514628)
   * ra_serf: ignore case when checking certificate common names (r1514763)
   * ra_serf: format distinguished names properly (r1514804)
   * ra_serf: do not retry HTTP requests if we started to parse them (r1503318)
   * ra_serf: output ssl cert verification failure reason (r1514785 et al)
   * ra_serf: allow session reuse after SVN_ERR_CEASE_INVOCATION (r1502901)
   * ra_serf: include library version in '--version' output (r1514295 et al)
   * info: fix spurious error on wc root with child in conflict (r1515366)

 - Server-side bugfixes:
   * svnserve: fix creation of pid files (r1516556)
   * svnadmin: fix output encoding in non-UTF8 environments (r1506966)
   * svnsync: fix high memory usage when running over ra_serf (r1515249 et al)
   * mod_dav_svn: do not map requests to filesystem (r1512432 et al)
   * svnauthz: improve help strings (r1511272)
   * fsfs: fixed manifest file growth with revprop changes (r1513874)
   * fsfs: fix packed revprops causing loss of revprops (r1513879 et al)

 - Other tool improvements and bugfixes:
   * svnwcsub/irkerbridge: fix symlink attack via pid file (r175 from upstream)

Developer-visible changes:
 - General:
   * describe APR unimplemented errors as coming from APR (r1503010 et al)
   * mod_dav_svn: update INSTALL to reflect configure defaults (r1515141)
   * davautocheck: use the correct apxs binary by default (r1507889, r1507891)

 - API changes:
   * svn_config_walk_auth_data() config_dir arg: permit NULL (r1507382 et al)

 - Bindings:
   * swig-pl: fix SVN::Client not honoring config file settings (r150744)
   * swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)

Approved by:	lev@ (explicit per PM)
Security:	f8a913cc-1322-11e3-8ffa-20cf30e32f6d
		CVE-2013-4277 [1]

1 files changed, 34 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index b2f9e4c5c7d4..a6d158875c1e 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,40 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="f8a913cc-1322-11e3-8ffa-20cf30e32f6d">
+    <topic>svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack.</topic>
+    <affects>
+      <package>
+	<name>subversion</name>
+	<range><ge>1.4.0</ge><lt>1.6.23_2</lt></range>
+	<range><ge>1.7.0</ge><lt>1.7.13</lt></range>
+	<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Subversion Project reports:</p>
+	<blockquote cite="http://subversion.apache.org/security/CVE-2013-4277-advisory.txt">
+	  <p>svnserve takes a --pid-file option which creates a file containing the
+	    process id it is running as.  It does not take steps to ensure that the file
+	    it has been directed at is not a symlink.  If the pid file is in a directory
+	    writeable by unprivileged users, the destination could be replaced by a
+	    symlink allowing for privilege escalation.  svnserve does not create a pid
+	    file by default.</p>
+	  <p>All versions are only vulnerable when the --pid-file=ARG option is used.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-4277</cvename>
+      <url>http://subversion.apache.org/security/CVE-2013-4277-advisory.txt</url>
+    </references>
+    <dates>
+      <discovery>2013-08-30</discovery>
+      <entry>2013-09-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b3b8d491-0fbb-11e3-8c50-1c6f65c11ee6">
     <topic>cacti -- allow remote attackers to execute arbitrary SQL commands</topic>
     <affects>