RE: svn commit failing - username not sent on the MERGE webdav command
Sorry for the late reply.. Our httpd.conf file contains for this location (some information retracted.. and some lines are commeted out) ## Main Subversion repository DAV svn SVNPath "/usr/local/svn/ec-svn/repo" ErrorDocument 404 default AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/authaccess" SVNIndexXSLT /xslt/default-svnindex.xsl SVNPathAuthz off #AuthzSVNAuthoritive off #AuthUserFile /usr/local/svn/ec-svn/conf/htpasswd AuthLDAPURL ldap:// AuthLDAPBindDN "*" AuthLDAPBindPassword "*" AuthType Basic AuthBasicProvider ldap #AuthzLDAPAuthoritative on AuthName " svn repository edisvn" Require valid-user -Original Message- From: Philip Martin [mailto:phi...@codematters.co.uk] Sent: Tuesday, August 08, 2017 2:35 PM To: g...@gregj.me Cc: users@subversion.apache.org Subject: Re: svn commit failing - username not sent on the MERGE webdav command writes: > Ok now I joined the mailing ilst. But I have not had any response to > this problem. > > Any suggestions? Should I RTFM - if so which? > > I've tried different things - and it only seems to allow access if > 'anonymous' is given access. Which could be a deal breaker for us. > > Ideas? What you have posted of your authz file looks correct, but a complete, self-contained, example would be better. What does the Location block in your apache config file look like? -- Philip
[SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released
I'm happy to announce the release of Apache Subversion 1.9.7. Please choose the mirror closest to you by visiting: http://subversion.apache.org/download.cgi?update=201708081800#recommended-release This is a stable security release of the Apache Subversion open source version control system. It fixes one security issue: CVE-2017-9800: Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url http://subversion.apache.org/security/CVE-2017-9800-advisory.txt The SHA1 checksums are: 874b81749cdc3e88152d103243c3623ac6338388 subversion-1.9.7.tar.bz2 1a5f48acf9d0faa60e8c7aea96a9b29ab1d4dcac subversion-1.9.7.tar.gz 741727b62596bf27f75838c46d1bb6938c83fbd7 subversion-1.9.7.zip SHA-512 checksums are available at: https://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.sha512 https://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.sha512 https://www.apache.org/dist/subversion/subversion-1.9.7.zip.sha512 PGP Signatures are available at: http://www.apache.org/dist/subversion/subversion-1.9.7.tar.bz2.asc http://www.apache.org/dist/subversion/subversion-1.9.7.tar.gz.asc http://www.apache.org/dist/subversion/subversion-1.9.7.zip.asc For this release, the following people have provided PGP signatures: Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint: 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint: E7B2 A7F4 EC28 BE9F F8B3 8BA4 B64F FF12 09F9 FA74 Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint: 7B8C A7F6 451A D89C 8ADC 077B 376A 3CFD 110B 1C95 Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint: E966 46BE 08C0 AF0A A0F9 0788 A5FE EE3A C793 7444 Philip Martin [2048R/76D788E1ED1A599C] with fingerprint: A844 790F B574 3606 EE95 9207 76D7 88E1 ED1A 599C Release notes for the 1.9.x release series may be found at: http://subversion.apache.org/docs/release-notes/1.9.html You can find the list of changes between 1.9.7 and earlier versions at: http://svn.apache.org/repos/asf/subversion/tags/1.9.7/CHANGES Questions, comments, and bug reports to users@subversion.apache.org. Thanks, - The Subversion Team
[ANNOUNCE] Apache Subversion 1.8.19 released
I'm happy to announce the release of Apache Subversion 1.8.19. Please choose the mirror closest to you by visiting: http://subversion.apache.org/download.cgi?update=201708081800#supported-releases This is a stable bugfix release of the Apache Subversion open source version control system. The SHA1 checksums are: c6c46db4734a075bbfc3ce26dcd6c68d1362e21c subversion-1.8.19.tar.gz 9070d274f8bc0c64b2accf34ffd8a37429cd7daa subversion-1.8.19.zip 51d7e5329ad86a650f8fc806eb68e581055a3fd1 subversion-1.8.19.tar.bz2 SHA-512 checksums are available at: https://www.apache.org/dist/subversion/subversion-1.8.19.tar.bz2.sha512 https://www.apache.org/dist/subversion/subversion-1.8.19.tar.gz.sha512 https://www.apache.org/dist/subversion/subversion-1.8.19.zip.sha512 PGP Signatures are available at: http://www.apache.org/dist/subversion/subversion-1.8.19.tar.bz2.asc http://www.apache.org/dist/subversion/subversion-1.8.19.tar.gz.asc http://www.apache.org/dist/subversion/subversion-1.8.19.zip.asc For this release, the following people have provided PGP signatures: Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint: 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 Evgeny Kotkov [4096R/B64FFF1209F9FA74] with fingerprint: E7B2 A7F4 EC28 BE9F F8B3 8BA4 B64F FF12 09F9 FA74 Stefan Hett (CODE SIGNING KEY) [4096R/376A3CFD110B1C95] with fingerprint: 7B8C A7F6 451A D89C 8ADC 077B 376A 3CFD 110B 1C95 Daniel Shahaf [3072R/A5FEEE3AC7937444] with fingerprint: E966 46BE 08C0 AF0A A0F9 0788 A5FE EE3A C793 7444 Philip Martin [2048R/76D788E1ED1A599C] with fingerprint: A844 790F B574 3606 EE95 9207 76D7 88E1 ED1A 599C Release notes for the 1.8.x release series may be found at: http://subversion.apache.org/docs/release-notes/1.8.html You can find the list of changes between 1.8.19 and earlier versions at: http://svn.apache.org/repos/asf/subversion/tags/1.8.19/CHANGES Questions, comments, and bug reports to users@subversion.apache.org. Thanks, - The Subversion Team
Re: svn commit failing - username not sent on the MERGE webdav command
On 10.08.2017 19:39, g...@gregj.me wrote: > Sorry for the late reply.. > > Our httpd.conf file contains for this location (some information retracted.. > and some lines are commeted out) > > ## Main Subversion repository > > DAV svn > SVNPath "/usr/local/svn/ec-svn/repo" > ErrorDocument 404 default > AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/authaccess" > SVNIndexXSLT /xslt/default-svnindex.xsl > SVNPathAuthz off > #AuthzSVNAuthoritive off > #AuthUserFile /usr/local/svn/ec-svn/conf/htpasswd > AuthLDAPURL ldap:// > AuthLDAPBindDN "*" > AuthLDAPBindPassword "*" > AuthType Basic > AuthBasicProvider ldap > #AuthzLDAPAuthoritative on > AuthName " svn repository edisvn" > > Require valid-user > > So you're telling httpd that MERGE requests do not need authentication. Why then are you surprised when it doesn't provide the credentials to mod_dav_svn? -- Brane
Re: svn commit failing - username not sent on the MERGE webdav command
On 10.08.2017 20:17, Branko Čibej wrote: > On 10.08.2017 19:39, g...@gregj.me wrote: >> Sorry for the late reply.. >> >> Our httpd.conf file contains for this location (some information retracted.. >> and some lines are commeted out) >> >> ## Main Subversion repository >> >> DAV svn >> SVNPath "/usr/local/svn/ec-svn/repo" >> ErrorDocument 404 default >> AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/authaccess" >> SVNIndexXSLT /xslt/default-svnindex.xsl >> SVNPathAuthz off >> #AuthzSVNAuthoritive off >> #AuthUserFile /usr/local/svn/ec-svn/conf/htpasswd >> AuthLDAPURL ldap:// >> AuthLDAPBindDN "*" >> AuthLDAPBindPassword "*" >> AuthType Basic >> AuthBasicProvider ldap >> #AuthzLDAPAuthoritative on >> AuthName " svn repository edisvn" >> >> Require valid-user >> >> > > So you're telling httpd that MERGE requests do not need authentication. > Why then are you surprised when it doesn't provide the credentials to > mod_dav_svn? Sorry, to mod_authz_svn, not mod_dav_svn. -- Brane
Re: [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released
Daniel Shahaf wrote on Thu, 10 Aug 2017 18:04 +: > I'm happy to announce the release of Apache Subversion 1.9.7. > Please choose the mirror closest to you by visiting: > > > http://subversion.apache.org/download.cgi?update=201708081800#recommended-release > > This is a stable security release of the Apache Subversion open source > version control system. It fixes one security issue: > > CVE-2017-9800: > Arbitrary code execution on clients through malicious svn+ssh URLs in > svn:externals and svn:sync-from-url > http://subversion.apache.org/security/CVE-2017-9800-advisory.txt This was a coordinated release, here are the other coordinated announcements: CVE-2017-12426 (GitLab) https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/ CVE-2017-1000116 (Mercurial (hg)) https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-August/102699.html CVE-2017-1000117 (Git) https://public-inbox.org/git/xmqqh8xf482j@gitster.mtv.corp.google.com/T/#u
RE: svn commit failing - username not sent on the MERGE webdav command
Ok I think this is onto something. I changed to and the commit worked. When I removed the LIMITEXCEPT completely it didn't even request my password (and failed). I'll have our tester test it with that tonight if possible. Thank You! Question: What *should* be specified? -Original Message- From: Branko Čibej [mailto:br...@apache.org] Sent: Thursday, August 10, 2017 11:18 AM To: users@subversion.apache.org Subject: Re: svn commit failing - username not sent on the MERGE webdav command On 10.08.2017 19:39, g...@gregj.me wrote: > Sorry for the late reply.. > > Our httpd.conf file contains for this location (some information retracted.. > and some lines are commeted out) > > ## Main Subversion repository > > DAV svn > SVNPath "/usr/local/svn/ec-svn/repo" > ErrorDocument 404 default > AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/authaccess" > SVNIndexXSLT /xslt/default-svnindex.xsl > SVNPathAuthz off > #AuthzSVNAuthoritive off > #AuthUserFile /usr/local/svn/ec-svn/conf/htpasswd > AuthLDAPURL ldap:// > AuthLDAPBindDN "*" > AuthLDAPBindPassword "*" > AuthType Basic > AuthBasicProvider ldap > #AuthzLDAPAuthoritative on > AuthName " svn repository edisvn" > > Require valid-user > > So you're telling httpd that MERGE requests do not need authentication. Why then are you surprised when it doesn't provide the credentials to mod_dav_svn? -- Brane
Re: [PATCH] bash URL completion
Nice! I was looking at doing the same thing! *Do you have the full completion code that you could post directly? (not just the DIFF?)* Thanks in advance! On Friday, July 27, 2012 at 3:31:51 AM UTC-6, Gerlando Falauto wrote: > > Hi everyone, > > I strongly felt the urge to have some way of bash-completing URLS from > the command line when doing checkouts, listing, cat (for README/REVNOTES > files) and so on... > I looked up the "tools/client-side/bash_completion" script only to > realize it works for local (file:///) but not remote URLs. > So I came up with the attached patch, which works for me (tested with > bash 4.1.2, svn 1.6.11) > The idea was (apart from adding sub-dir completion with a gross "svn ls" > command) to (manually) list known repositories within a ~/.svn_repos > file, one per line: > > http://srv1/proj1 > svn://srv2/proj2 > > The reason behind this is that data cached in > ~/.subversion/auth/svn.simple does not contain the full project URL > (only the server name) and I could not find a way to get that > information anywhere else. > > I known it would've made more sense to ask for advice *BEFORE* touching > the code, but still... :-) > > Thanks in advance for your feedback! > Gerlando > > P.S. I'm not subscribed to the list, so please Cc: me, thanks! >
