lp:ubuntu/precise-security/subversion

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

61. By Marc Deslauriers on 2015-08-20

* SECURITY UPDATE: denial of service via non-existing REPORT request
  - debian/patches/CVE-2014-3580.patch: make sure repo paths are
    specified in subversion/mod_dav_svn/reports/deleted-rev.c,
    subversion/mod_dav_svn/reports/file-revs.c,
    subversion/mod_dav_svn/reports/get-location-segments.c,
    subversion/mod_dav_svn/reports/get-locations.c,
    subversion/mod_dav_svn/reports/log.c,
    subversion/mod_dav_svn/reports/mergeinfo.c.
  - CVE-2014-3580
* SECURITY UPDATE: denial of service via crafted parameter combinations
  - debian/patches/CVE-2015-0248.patch: properly handle missing revision
    numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
    subversion/svnserve/serve.c.
  - CVE-2015-0248
* SECURITY UPDATE: svn:author property spoofing issue
  - debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
    in subversion/mod_dav_svn/deadprops.c.
  - CVE-2015-0251
* SECURITY UPDATE: sensitive path information disclosure
  - debian/patches/CVE-2015-3187.patch: fix order in
    subversion/libsvn_repos/rev_hunt.c, added tests to
    subversion/tests/cmdline/authz_tests.py,
    subversion/tests/libsvn_repos/repos-test.c.
  - CVE-2015-3187

60. By Marc Deslauriers on 2014-08-13

* SECURITY UPDATE: denial of service via mod_dav_svn
  - debian/patches/CVE-2014-0032.patch: only allow GET and HEAD in
    subversion/mod_dav_svn/repos.c.
  - CVE-2014-0032
* SECURITY UPDATE: incorrect ssl cert validation
  - debian/patches/CVE-2014-3522.patch: properly validate hostnames in
    subversion/include/private/svn_cert.h,
    subversion/libsvn_ra_serf/util.c,
    subversion/libsvn_subr/dirent_uri.c,
    added tests to subversion/tests/libsvn_subr/dirent_uri-test.c.
  - CVE-2014-3522
* SECURITY UPDATE: md5 collision authentication leak
  - debian/patches/CVE-2014-3528.patch: check if realm matches in
    subversion/libsvn_subr/config_auth.c.
  - CVE-2014-3528

59. By Marc Deslauriers on 2013-06-26

* SECURITY UPDATE: denial of service in mod_dav_svn
  - debian/patches/CVE-2013-1845.patch: handle multiple calls in
    subversion/mod_dav_svn/dav_svn.h, subversion/mod_dav_svn/deadprops.c.
  - CVE-2013-1845
* SECURITY UPDATE: denial of service in mod_dav_svn via LOCK
  - debian/patches/CVE-2013-1846_1847.patch: properly validate locks in
    subversion/mod_dav_svn/lock.c.
  - CVE-2013-1846
  - CVE-2013-1847
* SECURITY UPDATE: denial of service in mod_dav_svn via PROPFIND
  - debian/patches/CVE-2013-1849.patch: validate type in
    subversion/mod_dav_svn/liveprops.c.
  - CVE-2013-1849
* SECURITY UPDATE: repo corruption via newline chars in filenames
  - debian/patches/CVE-2013-1968.patch: properly escape paths in
    subversion/libsvn_fs_fs/tree.c, added test to
    subversion/tests/libsvn_fs/fs-test.c.
  - CVE-2013-1968
* SECURITY UPDATE: denial of service via closed connection
  - debian/patches/CVE-2013-2112.patch: check for closed connections in
    subversion/svnserve/main.c.
  - CVE-2013-2112
* Fix FTBFS from test suite failure because of APR hash ordering change:
  - debian/patches/fix_apr_ftbfs.patch: ignore ordering in
    subversion/bindings/swig/python/tests/repository.py,
    subversion/bindings/swig/python/tests/trac/versioncontrol/tests/svn_fs.py,
    subversion/bindings/swig/python/tests/wc.py,
    subversion/bindings/swig/ruby/test/test_client.rb,
    subversion/bindings/swig/ruby/test/test_wc.rb,
    subversion/tests/cmdline/stat_tests.py,
    subversion/tests/cmdline/svnlook_tests.py,
    subversion/tests/cmdline/svntest/actions.py,
    subversion/tests/cmdline/svntest/verify.py,
    subversion/tests/cmdline/switch_tests.py,
    subversion/tests/cmdline/diff_tests.py,
    subversion/tests/cmdline/svnsync_tests.py,
    subversion/tests/cmdline/update_tests.py,
    subversion/tests/cmdline/svnadmin_tests.py,
    disable test in subversion/bindings/swig/ruby/test/test_repos.rb,
    disable diff_repos_wc_add_with_props test in
    subversion/tests/cmdline/diff_tests.py.

58. By Matthias Klose on 2011-12-17

Build using dh_python2

57. By Colin Watson on 2011-11-27

Allow libserf-dev to satisfy serf build-dependency.

56. By Colin Watson on 2011-11-27

* Resynchronise with Debian. Remaining changes:
  - Create pot file on build.
  - Build a python-subversion-dbg package.
  - Build-depend on default-jre-headless/-jdk.
  - Do not apply java-build patch.
  - debian/rules: Manually create the doxygen output directory, otherwise
    we get weird build failures when running parallel builds.
* Re-enable the serf backend (LP: #830778).

55. By Colin Watson on 2011-11-16

* Resynchronise with Debian. Remaining changes:
  - Create pot file on build.
  - Build a python-subversion-dbg package.
  - Build-depend on default-jre-headless/-jdk.
  - Do not apply java-build patch.
  - debian/rules: Manually create the doxygen output directory, otherwise
    we get weird build failures when running parallel builds.
  - Disable the serf backend because serf is in universe.
* Sync up python-subversion-dbg control fields with python-subversion.

54. By Colin Watson on 2011-11-16

Rebuild for Perl 5.14.

53. By Marc Deslauriers on 2011-08-05

* SECURITY UPDATE: denial of service via baselined WebDAV resource
  request
  - debian/patches/CVE-2011-1752.patch: disallow GETs of baselined
    versions of resources in subversion/mod_dav_svn/repos.c.
  - CVE-2011-1752
* SECURITY UPDATE: mod_dav_svn resource exhaustion via infinite loop
  - debian/patches/CVE-2011-1783.patch: validate path in
    subversion/libsvn_repos/authz.c.
  - CVE-2011-1783
* SECURITY UPDATE: mod_dav_svn permissions bypass via incorrect
  resource URL
  - debian/patches/CVE-2011-1921.patch: validate path in
    subversion/mod_dav_svn/authz.c.
  - CVE-2011-1921

52. By Colin Watson on 2011-05-06

Disable KWallet support on armel, again temporarily.