[SECURITY][ANNOUNCE] Apache Subversion 1.10.8 released

[mark...@apache.org]

I'm happy to announce the release of Apache Subversion 1.10.8.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#supported-releases

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

CVE-2021-28544
"SVN authz protected copyfrom paths regression"

The full security advisory for CVE-2021-28544 is available at:
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

A brief summary of this advisory follows:

Subversion servers reveal 'copyfrom' paths that should be hidden according to
configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
`copyfrom' path of the original. This also reveals the fact that
the node was copied.
Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
servers are vulnerable.

We recommend all users to upgrade to a known fixed release of the
Subversion server.

This issue was reported by Evgeny Kotkov

CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"

The full security advisory for CVE-2022-24070 is available at:
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

A brief summary of this advisory follows:

While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.

We recommend all users to upgrade to a known fixed release of the
Subversion server.

This issue was reported by Thomas Weißschuh

SHA-512 checksums are available at:

https://www.apache.org/dist/subversion/subversion-1.10.8.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.10.8.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.10.8.zip.sha512

PGP Signatures are available at:

https://www.apache.org/dist/subversion/subversion-1.10.8.tar.bz2.asc
https://www.apache.org/dist/subversion/subversion-1.10.8.tar.gz.asc
https://www.apache.org/dist/subversion/subversion-1.10.8.zip.asc

For this release, the following people have provided PGP signatures:

Julian Foad [rsa4096/1FB064B84EECC493] with fingerprint:
6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493
Stefan Sperling [rsa2048/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
Branko Čibej [rsa4096/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
Mark Phippard [ed25519/C4416167349A3BCB] with fingerprint:
EC25 FCC1 0561 8D04 ADB4 3429 C441 6167 349A 3BCB
Johan Corveleyn [rsa4096/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD

These public keys are available at:

https://www.apache.org/dist/subversion/subversion-1.10.8.KEYS

Release notes for the 1.10.x release series may be found at:

https://subversion.apache.org/docs/release-notes/1.10.html

You can find the list of changes between 1.10.8 and earlier versions at:

https://svn.apache.org/repos/asf/subversion/tags/1.10.8/CHANGES

Questions, comments, and bug reports to us...@subversion.apache.org.

Thanks,
- The Subversion Team