-
subversion (1.6.17dfsg-3ubuntu3.8) precise-security; urgency=medium
* SECURITY UPDATE: Remotely triggerable DoS vulnerability in svnserve
'get-deleted-rev' and Remote unauthenticated denial-of-service
- debian/patches/CVE-2018-11782-and-CVE-2019-0203.patch: properly handle certain replies
in subversion/libsvn_ra_svn/client.c, subversion/svnserve/serve.c,
- CVE-2018-11782
- CVE-2019-0203
-- <email address hidden> (Leonidas S. Barbosa) Mon, 29 Jul 2019 14:51:27 -0300
-
subversion (1.6.17dfsg-3ubuntu3.5) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via non-existing REPORT request
- debian/patches/CVE-2014-3580.patch: make sure repo paths are
specified in subversion/mod_dav_svn/reports/deleted-rev.c,
subversion/mod_dav_svn/reports/file-revs.c,
subversion/mod_dav_svn/reports/get-location-segments.c,
subversion/mod_dav_svn/reports/get-locations.c,
subversion/mod_dav_svn/reports/log.c,
subversion/mod_dav_svn/reports/mergeinfo.c.
- CVE-2014-3580
* SECURITY UPDATE: denial of service via crafted parameter combinations
- debian/patches/CVE-2015-0248.patch: properly handle missing revision
numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
subversion/svnserve/serve.c.
- CVE-2015-0248
* SECURITY UPDATE: svn:author property spoofing issue
- debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
in subversion/mod_dav_svn/deadprops.c.
- CVE-2015-0251
* SECURITY UPDATE: sensitive path information disclosure
- debian/patches/CVE-2015-3187.patch: fix order in
subversion/libsvn_repos/rev_hunt.c, added tests to
subversion/tests/cmdline/authz_tests.py,
subversion/tests/libsvn_repos/repos-test.c.
- CVE-2015-3187
-- Marc Deslauriers <email address hidden> Thu, 20 Aug 2015 08:53:48 -0400
-
subversion (1.6.17dfsg-3ubuntu3.4) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via mod_dav_svn
- debian/patches/CVE-2014-0032.patch: only allow GET and HEAD in
subversion/mod_dav_svn/repos.c.
- CVE-2014-0032
* SECURITY UPDATE: incorrect ssl cert validation
- debian/patches/CVE-2014-3522.patch: properly validate hostnames in
subversion/include/private/svn_cert.h,
subversion/libsvn_ra_serf/util.c,
subversion/libsvn_subr/dirent_uri.c,
added tests to subversion/tests/libsvn_subr/dirent_uri-test.c.
- CVE-2014-3522
* SECURITY UPDATE: md5 collision authentication leak
- debian/patches/CVE-2014-3528.patch: check if realm matches in
subversion/libsvn_subr/config_auth.c.
- CVE-2014-3528
-- Marc Deslauriers <email address hidden> Wed, 13 Aug 2014 11:02:34 -0400
-
subversion (1.6.17dfsg-3ubuntu3.3) precise-security; urgency=low
* SECURITY UPDATE: denial of service in mod_dav_svn
- debian/patches/CVE-2013-1845.patch: handle multiple calls in
subversion/mod_dav_svn/dav_svn.h, subversion/mod_dav_svn/deadprops.c.
- CVE-2013-1845
* SECURITY UPDATE: denial of service in mod_dav_svn via LOCK
- debian/patches/CVE-2013-1846_1847.patch: properly validate locks in
subversion/mod_dav_svn/lock.c.
- CVE-2013-1846
- CVE-2013-1847
* SECURITY UPDATE: denial of service in mod_dav_svn via PROPFIND
- debian/patches/CVE-2013-1849.patch: validate type in
subversion/mod_dav_svn/liveprops.c.
- CVE-2013-1849
* SECURITY UPDATE: repo corruption via newline chars in filenames
- debian/patches/CVE-2013-1968.patch: properly escape paths in
subversion/libsvn_fs_fs/tree.c, added test to
subversion/tests/libsvn_fs/fs-test.c.
- CVE-2013-1968
* SECURITY UPDATE: denial of service via closed connection
- debian/patches/CVE-2013-2112.patch: check for closed connections in
subversion/svnserve/main.c.
- CVE-2013-2112
* Fix FTBFS from test suite failure because of APR hash ordering change:
- debian/patches/fix_apr_ftbfs.patch: ignore ordering in
subversion/bindings/swig/python/tests/repository.py,
subversion/bindings/swig/python/tests/trac/versioncontrol/tests/svn_fs.py,
subversion/bindings/swig/python/tests/wc.py,
subversion/bindings/swig/ruby/test/test_client.rb,
subversion/bindings/swig/ruby/test/test_wc.rb,
subversion/tests/cmdline/stat_tests.py,
subversion/tests/cmdline/svnlook_tests.py,
subversion/tests/cmdline/svntest/actions.py,
subversion/tests/cmdline/svntest/verify.py,
subversion/tests/cmdline/switch_tests.py,
subversion/tests/cmdline/diff_tests.py,
subversion/tests/cmdline/svnsync_tests.py,
subversion/tests/cmdline/update_tests.py,
subversion/tests/cmdline/svnadmin_tests.py,
disable test in subversion/bindings/swig/ruby/test/test_repos.rb,
disable diff_repos_wc_add_with_props test in
subversion/tests/cmdline/diff_tests.py.
-- Marc Deslauriers <email address hidden> Wed, 26 Jun 2013 15:19:45 -0400
-
subversion (1.6.17dfsg-3ubuntu3) precise; urgency=low
* Build using dh_python2
-- Matthias Klose <email address hidden> Sat, 17 Dec 2011 15:01:54 +0000
-
subversion (1.6.17dfsg-3ubuntu2) precise; urgency=low
* Allow libserf-dev to satisfy serf build-dependency.
-- Colin Watson <email address hidden> Sun, 27 Nov 2011 19:02:00 +0000
-
subversion (1.6.17dfsg-3ubuntu1) precise; urgency=low
* Resynchronise with Debian. Remaining changes:
- Create pot file on build.
- Build a python-subversion-dbg package.
- Build-depend on default-jre-headless/-jdk.
- Do not apply java-build patch.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
* Re-enable the serf backend (LP: #830778).
subversion (1.6.17dfsg-3) unstable; urgency=medium
* libapache2.preinst: Fix upgrade case from before 1.6.17dfsg-2.
* libapache2.prerm: 'a2dismod' modules in reverse dependency order.
* patches/apache_module_dependency: New patch to allow mod_authz_svn to
load before mod_dav_svn and still use its functions.
All these together, Closes: #642250.
* Remove a bit more autofoo in 'clean' target.
-- Colin Watson <email address hidden> Sun, 27 Nov 2011 12:45:05 +0000
-
subversion (1.6.17dfsg-2ubuntu1) precise; urgency=low
* Resynchronise with Debian. Remaining changes:
- Create pot file on build.
- Build a python-subversion-dbg package.
- Build-depend on default-jre-headless/-jdk.
- Do not apply java-build patch.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Disable the serf backend because serf is in universe.
* Sync up python-subversion-dbg control fields with python-subversion.
subversion (1.6.17dfsg-2) unstable; urgency=low
* Standards-Version: 3.9.2. Also, multiarch.
* Move to debhelper level 7.
* patches/perl-warning: New patch to suppress a bogus Perl undef warning.
(Closes: #422699)
* patches/swig2-compat: New patch from upstream to build with swig 2.x.
(Closes: #634049)
* patches/perl-compiler-flags: New patch from upstream to address an
issue brought to light by Perl 5.14. (Closes: #628507)
* patches/sasl-mem-handling: New patch from upstream to fix a crash with
svn:// URLs and SASL authentication. (Closes: #631765)
* patches/svn2cl-upstream: Use --non-interactive in svn2cl to avoid
hanging on, e.g., password prompts. (Closes: #443860)
* patches/python-exception-syntax: New patch: Fix a couple instances of
literal string exceptions in Python, which don't work in 2.6+.
(Closes: #585358)
* Remove some preinst/postinst magic that hasn't been needed in years.
* Split authz_svn.load away from dav_svn.load, since most users do not
need both. New installs will enable only dav_svn by default.
* Restart apache in libapache2-svn postinst. (Closes: #610236, #628990)
* Improve symbols file with (regex)__ catchall for private symbols not
otherwise accounted for. (Closes: #607544) I'm also including a
workaround for rapidsvn, to be removed when 0.14 is released.
* Add ${misc:Depends} everywhere. Drop libsvn-java dependency on a jre.
Thanks, Lintian.
* Remove the extra copy of jquery supplied by doxygen, from libsvn-doc.
Doesn't seem to even be used. Thanks, Lintian.
* patches/po: New patch from Laurent Bigonville to fix minor issues in
fr.po and ja.po. (Closes: #607381)
* Move to dh_lintian, and fix up the overrides a bit.
subversion (1.6.17dfsg-1) unstable; urgency=high
* New upstream version. Includes security fixes:
- CVE-2011-1752: Remotely triggered crash in mod_dav_svn
- CVE-2011-1783: Remotely triggered memory exhaustion in mod_dav_svn
- CVE-2011-1921: Content leak of certain files marked unreadable
* svn-bisect: Support $SVN environment variable, requested by Daniel
Shahaf upstream.
* Update Lintian overrides to account for python through 2.9,
in case that ever comes to be.
subversion (1.6.16dfsg-1) unstable; urgency=high
* New upstream version.
- Fixes CVE-2011-0715: Remotely crash mod_dav_svn anonymously via a
lock token.
* patches/change-range: New patch to support -cA-B syntax on command line.
* Stop using svn-make-config.c; we can do the same just by running svn
itself in a controlled home directory. Delete debian/tools/.
-- Colin Watson <email address hidden> Wed, 16 Nov 2011 16:08:09 +0000
-
subversion (1.6.12dfsg-4ubuntu6) precise; urgency=low
* Rebuild for Perl 5.14.
-- Colin Watson <email address hidden> Wed, 16 Nov 2011 01:03:49 +0000
-
subversion (1.6.12dfsg-4ubuntu5) oneiric; urgency=low
* SECURITY UPDATE: denial of service via baselined WebDAV resource
request
- debian/patches/CVE-2011-1752.patch: disallow GETs of baselined
versions of resources in subversion/mod_dav_svn/repos.c.
- CVE-2011-1752
* SECURITY UPDATE: mod_dav_svn resource exhaustion via infinite loop
- debian/patches/CVE-2011-1783.patch: validate path in
subversion/libsvn_repos/authz.c.
- CVE-2011-1783
* SECURITY UPDATE: mod_dav_svn permissions bypass via incorrect
resource URL
- debian/patches/CVE-2011-1921.patch: validate path in
subversion/mod_dav_svn/authz.c.
- CVE-2011-1921
-- Marc Deslauriers <email address hidden> Fri, 05 Aug 2011 10:53:00 -0400