On Thu, Mar 17, 2011 at 10:38 PM, Konstantin Boyandin <li...@boyandin.name> wrote: > 03/07/2011 02:24 AM, Nico Kadel-Garcia пишет: >> On Sun, Mar 6, 2011 at 11:43 AM, Daniel Shahaf <d...@daniel.shahaf.name> >> wrote: >>> Nico Kadel-Garcia wrote on Sun, Mar 06, 2011 at 09:00:15 -0500: >>>> On Sun, Mar 6, 2011 at 7:22 AM, Andy Levy <andy.l...@gmail.com> wrote: >>>>> On Sat, Mar 5, 2011 at 22:34, Konstantin Boyandin <li...@boyandin.name> >>>>> wrote: >>>>>> Hello, >>>>>> >>>>>> Setup: there's a server where Subversion repository is located (working >>>>>> via Apache backend), OS CentOS 5.5, Subversion installed as RPM >>>>>> subversion-1.4.2-4.el5_3.1 >>>> >>>> Red Hat has published subversion-1.6.11 for RHEL 5.6, and you can grab >>>> and recompile it from your nearest Red Hat SRPM mirror >>>> (http://mirrors.kernel.org/redhat is pretty good.) CentOS 5.6 has been >>>> taking a while to release, so it's not published for CentOS yet. >>>> >>>> But there is also the RPMforge release of subversion-1.6.15 at >>>> http://rpmrepo.org/RPMforge/. Enjoy, I put up that one (based on >>>> variious previous releases.) I'd urge you to upgrade, ASAP, for a lot >>>> of *other* reasons. >>> >>> 1.6.15 contains a known remote DoS which is fixed by the just-released >>> 1.6.16. >> >> I'm trying to recompile 1.6.16 for RHEL 5 based environments. There's >> a number of fiddly little changes in the configurations which break >> the RPM compilation. >> >> The remote DDOS is HTTP/HTTPS related. If you use svn+ssh, which I >> recommend for security reasons anyway, you're apparently not at risk >> of it. > > I would appreciate the RPMs compilation instructions for the 1.6.16 - or > the link to SRPM. > > Thanks in advance! > > Sincerely, > Konstantin
The 1.6.15 SRPM's are at http://rpmrepo.org/RPMforge/. I've not spent a lot of time on this, I'm in the midst of interviewing for a role involving Debian support and setting up a Debian environment. (My current contract ended recently.) The 1.6.16 has some minor build-structure changes that have broken the SRPM's. I'm wondering if it's even worth pursuing, for environments that don't rely on HTTP/HTTPS authentication, especially because I'm such a long-standing deprecator of that approach. (This is because the Linux and UNIX clients store the passwords for HTTP/HTTPS access in clear text.)
