The Byte Stops Here

Subversion 1.6.4 has been released to fix a vulnerability.

Version 1.6.4
(06 Aug 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.4

User-visible changes:
* fixed: heap overflow vulnerability on server and client
See CVE-2009-2411, and descriptive advisory at
http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt

More details below.

Subversion 1.6.4 has been released, available from:

    http://subversion.tigris.org/downloads/subversion-1.6.4.tar.bz2

    http://subversion.tigris.org/downloads/subversion-1.6.4.tar.gz

    http://subversion.tigris.org/downloads/subversion-1.6.4.zip

    http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.bz2

    http://subversion.tigris.org/downloads/subversion-deps-1.6.4.tar.gz

    http://subversion.tigris.org/downloads/subversion-deps-1.6.4.zip

THIS IS A SECURITY RELEASE, addressing the issue described at:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2411

The CVE page may not be public yet when you read this, but will be soon.

The full text of the advisory is available at:

    http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt

This security issue affects both clients and servers.  Clients with commit access to a vulnerable server can cause a remote heap overflow.  Servers can cause a heap overflow on vulnerable clients that try to do a checkout or update.  Subversion 1.6.4 differs from 1.6.4 only in the fix for this issue.  Upgrading to Subversion 1.6.4 (or Subversion 1.5.7, released

simultaneously) is therefore strongly recommended for Subversion client and server installations on all platforms.

Release notes for the 1.6.x release series may be found at:

    http://subversion.tigris.org/svn_1.6_releasenotes.html

You can find the list of changes between 1.6.4 and earlier versions at:

    http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES

See announcement below.

I'm happy to announce Subversion 1.6.3, available from:

    http://subversion.tigris.org/downloads/subversion-1.6.3.tar.bz2
    http://subversion.tigris.org/downloads/subversion-1.6.3.tar.gz
    http://subversion.tigris.org/downloads/subversion-1.6.3.zip
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.tar.bz2
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.tar.gz
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.zip

The MD5 checksums are:

    8bf7637ac99368db0890e3f085fa690d  subversion-1.6.3.tar.bz2
    8357468ed2485b88151c50fb5deb28ca  subversion-1.6.3.tar.gz
    2a09e99c4a780e2fb84e68fd6c528ee6  subversion-1.6.3.zip
    22d3687ae93648fcecf945c045931272  subversion-deps-1.6.3.tar.bz2
    2f9db6ae8b2ae41cf7adacad47b27946  subversion-deps-1.6.3.tar.gz
    b589abbdeb207407673e3ce64a7b72cc  subversion-deps-1.6.3.zip

The SHA1 checksums are:

    88a4a21509f9d8f95a64f7545f3294d356f619c8  subversion-1.6.3.tar.bz2
    18666f632c80a6c2a67cfb172fe03dcf9bd79dff  subversion-1.6.3.tar.gz
    13fa4cefc1a6b982c01cd9a95a59a8e8cc233b61  subversion-1.6.3.zip
    db465834df2cec5f7a1d26597e2017af166a5768  subversion-deps-1.6.3.tar.bz2
    922dbf1c3fcb86451812c269b193dd968ec798ff  subversion-deps-1.6.3.tar.gz
    933bc1043376172fed5970014af1800e3d2ad2fa  subversion-deps-1.6.3.zip

PGP Signatures are available at:

    http://subversion.tigris.org/downloads/subversion-1.6.3.tar.bz2.asc
    http://subversion.tigris.org/downloads/subversion-1.6.3.tar.gz.asc
    http://subversion.tigris.org/downloads/subversion-1.6.3.zip.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.tar.bz2.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.tar.gz.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.3.zip.asc

For this release, the following people have provided PGP signatures:

   Senthil Kumaran S [1024D/6CCD4038] with fingerprint:
    8035 16A5 1D6E 50E2 1ECD  DE56 F68D 46FB 6CCD 4038
   Paul T. Burba [1024D/53FCDC55] with fingerprint:
    E630 CF54 792C F913 B13C  32C5 D916 8930 53FC DC55
   Arfrever Frehtes Taifersar Arahesis [1024D/E06AFE3E] with fingerprint:
    17D9 DFDA EC0F E896 428A  D821 2041 9549 E06A FE3E
   Bert Huijben [1024D/9821F7B2] with fingerprint:
    2017 F51A 2572 0E78 8827  5329 FCFD 6305 9821 F7B2
   Blair Zajac [1024D/DA561D91] with fingerprint:
    3FAE C7E1 ADE8 572F 613C  F086 C572 2326 DA56 1D91
   Mark Phippard [1024D/035A96A9] with fingerprint:
    D315 89DB E1C1 E9BA D218  39FD 265D F8A0 035A 96A9
   Hyrum K. Wright [1024D/4E24517C] with fingerprint:
    3324 80DA 0F8C A37D AEE6  D084 0B03 AE6E 4E24 517C

Release notes for the 1.6.x release series may be found at:

    http://subversion.tigris.org/svn_1.6_releasenotes.html

You can find the list of changes between 1.6.3 and earlier versions at:

    http://svn.collab.net/repos/svn/tags/1.6.3/CHANGES

Guys, hoping you can help me out. I'm looking to move our company away from using SourceForge OnDemand (now CollabNet), towards something a bit more... fresher? In my analysis, I looked mainly at simplicity... simplicity for the developer and project manager. I'm probably missing tons, but I found some lower cost alternatives that were even more feature-rich than SourceForge OnDemand, while focusing on simplicity and ease of use.

Among the tops options are Assembla, Codespaces, and Unfuddle.

Have you guys used any of these tools? Thoughts? Do you suggest any alternatives?

See the notice for details.

------------------------------------------------------

I'm happy to announce Subversion 1.6.2, available from:

    http://subversion.tigris.org/downloads/subversion-1.6.2.tar.bz2
    http://subversion.tigris.org/downloads/subversion-1.6.2.tar.gz
    http://subversion.tigris.org/downloads/subversion-1.6.2.zip
    http://subversion.tigris.org/downloads/subversion-deps-1.6.2.tar.bz2
    http://subversion.tigris.org/downloads/subversion-deps-1.6.2.tar.gz
    http://subversion.tigris.org/downloads/subversion-deps-1.6.2.zip

Release notes for the 1.6.x release series may be found at:

    http://subversion.tigris.org/svn_1.6_releasenotes.html

You can find the list of changes between 1.6.2 and earlier versions at:

    http://svn.collab.net/repos/svn/tags/1.6.2/CHANGES

Questions, comments, and bug reports to users@subversion.tigris.org.

Thanks,
- The Subversion Team

------------------------------------------------------

See the text of the announcement below.

I'm happy to announce Subversion 1.6.1, available from:

    http://subversion.tigris.org/downloads/subversion-1.6.1.tar.bz2
    http://subversion.tigris.org/downloads/subversion-1.6.1.tar.gz
    http://subversion.tigris.org/downloads/subversion-1.6.1.zip
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.tar.bz2
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.tar.gz
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.zip

The MD5 checksums are:

    95708b96b920faeffca017f43ec96777  subversion-1.6.1.tar.bz2
    32014fe70397357fa1e0ef8f937a0232  subversion-1.6.1.tar.gz
    e6d1871ac64a16417773abc4da0a4520  subversion-1.6.1.zip
    4c76dd10a3767db04717e357dc090348  subversion-deps-1.6.1.tar.bz2
    75e1493c02a56b5aadc24326d963326c  subversion-deps-1.6.1.tar.gz
    081553b5693e0b0cb266f7ca56f25b10  subversion-deps-1.6.1.zip

The SHA1 checksums are:

    de01efed25505d689c369a67fbf9b2d2f02e4795  subversion-1.6.1.tar.bz2
    aad29d357ad58206570b0049bd8a565e9529d908  subversion-1.6.1.tar.gz
    c6a3653a08c9700fce3663e9e2a234bf958ea9f3  subversion-1.6.1.zip
    17dfee86ca0187b9171242db25087b6f48cbed8d  subversion-deps-1.6.1.tar.bz2
    1493f18ee9143da746356198ea7013823585f159  subversion-deps-1.6.1.tar.gz
    4cda3414d9aba0902db22181241bd678f6567bb9  subversion-deps-1.6.1.zip

PGP Signatures are available at:

    http://subversion.tigris.org/downloads/subversion-1.6.1.tar.bz2.asc
    http://subversion.tigris.org/downloads/subversion-1.6.1.tar.gz.asc
    http://subversion.tigris.org/downloads/subversion-1.6.1.zip.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.tar.bz2.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.tar.gz.asc
    http://subversion.tigris.org/downloads/subversion-deps-1.6.1.zip.asc

For this release, the following people have provided PGP signatures:

   Senthil Kumaran S [1024D/6CCD4038] with fingerprint:
    8035 16A5 1D6E 50E2 1ECD  DE56 F68D 46FB 6CCD 4038
   Paul T. Burba [1024D/53FCDC55] with fingerprint:
    E630 CF54 792C F913 B13C  32C5 D916 8930 53FC DC55
   Mark Phippard [1024D/035A96A9] with fingerprint:
    D315 89DB E1C1 E9BA D218  39FD 265D F8A0 035A 96A9
   Bert Huijben [1024D/9821F7B2] with fingerprint:
    2017 F51A 2572 0E78 8827  5329 FCFD 6305 9821 F7B2
   Hyrum K. Wright [1024D/4E24517C] with fingerprint:
    3324 80DA 0F8C A37D AEE6  D084 0B03 AE6E 4E24 517C
   Arfrever Frehtes Taifersar Arahesis [1024D/0FF33963] with fingerprint:
    F699 87DA C1B7 BF23 B85F  13A5 60CF 6A81 0FF3 3963
   Kamesh Jayachandran [1024D/ED184C2C] with fingerprint:
    3E5B 5C1D 1CA6 A611 2787  9B4B DD61 EFC8 ED18 4C2C

Release notes for the 1.6.x release series may be found at:

    http://subversion.tigris.org/svn_1.6_releasenotes.html

You can find the list of changes between 1.6.1 and earlier versions at:

    http://svn.collab.net/repos/svn/tags/1.6.1/CHANGES

Questions, comments, and bug reports to users@subversion.tigris.org.

Thanks,
- The Subversion Team