lp:ubuntu/precise-security/subversion

Created by Ubuntu Package Importer on 2013-06-27 and last modified on 2015-08-20
Get this branch:
bzr branch lp:ubuntu/precise-security/subversion
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

61. By Marc Deslauriers on 2015-08-20

* SECURITY UPDATE: denial of service via non-existing REPORT request
  - debian/patches/CVE-2014-3580.patch: make sure repo paths are
    specified in subversion/mod_dav_svn/reports/deleted-rev.c,
    subversion/mod_dav_svn/reports/file-revs.c,
    subversion/mod_dav_svn/reports/get-location-segments.c,
    subversion/mod_dav_svn/reports/get-locations.c,
    subversion/mod_dav_svn/reports/log.c,
    subversion/mod_dav_svn/reports/mergeinfo.c.
  - CVE-2014-3580
* SECURITY UPDATE: denial of service via crafted parameter combinations
  - debian/patches/CVE-2015-0248.patch: properly handle missing revision
    numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
    subversion/svnserve/serve.c.
  - CVE-2015-0248
* SECURITY UPDATE: svn:author property spoofing issue
  - debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
    in subversion/mod_dav_svn/deadprops.c.
  - CVE-2015-0251
* SECURITY UPDATE: sensitive path information disclosure
  - debian/patches/CVE-2015-3187.patch: fix order in
    subversion/libsvn_repos/rev_hunt.c, added tests to
    subversion/tests/cmdline/authz_tests.py,
    subversion/tests/libsvn_repos/repos-test.c.
  - CVE-2015-3187

60. By Marc Deslauriers on 2014-08-13

* SECURITY UPDATE: denial of service via mod_dav_svn
  - debian/patches/CVE-2014-0032.patch: only allow GET and HEAD in
    subversion/mod_dav_svn/repos.c.
  - CVE-2014-0032
* SECURITY UPDATE: incorrect ssl cert validation
  - debian/patches/CVE-2014-3522.patch: properly validate hostnames in
    subversion/include/private/svn_cert.h,
    subversion/libsvn_ra_serf/util.c,
    subversion/libsvn_subr/dirent_uri.c,
    added tests to subversion/tests/libsvn_subr/dirent_uri-test.c.
  - CVE-2014-3522
* SECURITY UPDATE: md5 collision authentication leak
  - debian/patches/CVE-2014-3528.patch: check if realm matches in
    subversion/libsvn_subr/config_auth.c.
  - CVE-2014-3528

59. By Marc Deslauriers on 2013-06-26

* SECURITY UPDATE: denial of service in mod_dav_svn
  - debian/patches/CVE-2013-1845.patch: handle multiple calls in
    subversion/mod_dav_svn/dav_svn.h, subversion/mod_dav_svn/deadprops.c.
  - CVE-2013-1845
* SECURITY UPDATE: denial of service in mod_dav_svn via LOCK
  - debian/patches/CVE-2013-1846_1847.patch: properly validate locks in
    subversion/mod_dav_svn/lock.c.
  - CVE-2013-1846
  - CVE-2013-1847
* SECURITY UPDATE: denial of service in mod_dav_svn via PROPFIND
  - debian/patches/CVE-2013-1849.patch: validate type in
    subversion/mod_dav_svn/liveprops.c.
  - CVE-2013-1849
* SECURITY UPDATE: repo corruption via newline chars in filenames
  - debian/patches/CVE-2013-1968.patch: properly escape paths in
    subversion/libsvn_fs_fs/tree.c, added test to
    subversion/tests/libsvn_fs/fs-test.c.
  - CVE-2013-1968
* SECURITY UPDATE: denial of service via closed connection
  - debian/patches/CVE-2013-2112.patch: check for closed connections in
    subversion/svnserve/main.c.
  - CVE-2013-2112
* Fix FTBFS from test suite failure because of APR hash ordering change:
  - debian/patches/fix_apr_ftbfs.patch: ignore ordering in
    subversion/bindings/swig/python/tests/repository.py,
    subversion/bindings/swig/python/tests/trac/versioncontrol/tests/svn_fs.py,
    subversion/bindings/swig/python/tests/wc.py,
    subversion/bindings/swig/ruby/test/test_client.rb,
    subversion/bindings/swig/ruby/test/test_wc.rb,
    subversion/tests/cmdline/stat_tests.py,
    subversion/tests/cmdline/svnlook_tests.py,
    subversion/tests/cmdline/svntest/actions.py,
    subversion/tests/cmdline/svntest/verify.py,
    subversion/tests/cmdline/switch_tests.py,
    subversion/tests/cmdline/diff_tests.py,
    subversion/tests/cmdline/svnsync_tests.py,
    subversion/tests/cmdline/update_tests.py,
    subversion/tests/cmdline/svnadmin_tests.py,
    disable test in subversion/bindings/swig/ruby/test/test_repos.rb,
    disable diff_repos_wc_add_with_props test in
    subversion/tests/cmdline/diff_tests.py.

58. By Matthias Klose on 2011-12-17

Build using dh_python2

57. By Colin Watson on 2011-11-27

Allow libserf-dev to satisfy serf build-dependency.

56. By Colin Watson on 2011-11-27

* Resynchronise with Debian. Remaining changes:
  - Create pot file on build.
  - Build a python-subversion-dbg package.
  - Build-depend on default-jre-headless/-jdk.
  - Do not apply java-build patch.
  - debian/rules: Manually create the doxygen output directory, otherwise
    we get weird build failures when running parallel builds.
* Re-enable the serf backend (LP: #830778).

55. By Colin Watson on 2011-11-16

* Resynchronise with Debian. Remaining changes:
  - Create pot file on build.
  - Build a python-subversion-dbg package.
  - Build-depend on default-jre-headless/-jdk.
  - Do not apply java-build patch.
  - debian/rules: Manually create the doxygen output directory, otherwise
    we get weird build failures when running parallel builds.
  - Disable the serf backend because serf is in universe.
* Sync up python-subversion-dbg control fields with python-subversion.

54. By Colin Watson on 2011-11-16

Rebuild for Perl 5.14.

53. By Marc Deslauriers on 2011-08-05

* SECURITY UPDATE: denial of service via baselined WebDAV resource
  request
  - debian/patches/CVE-2011-1752.patch: disallow GETs of baselined
    versions of resources in subversion/mod_dav_svn/repos.c.
  - CVE-2011-1752
* SECURITY UPDATE: mod_dav_svn resource exhaustion via infinite loop
  - debian/patches/CVE-2011-1783.patch: validate path in
    subversion/libsvn_repos/authz.c.
  - CVE-2011-1783
* SECURITY UPDATE: mod_dav_svn permissions bypass via incorrect
  resource URL
  - debian/patches/CVE-2011-1921.patch: validate path in
    subversion/mod_dav_svn/authz.c.
  - CVE-2011-1921

52. By Colin Watson on 2011-05-06

Disable KWallet support on armel, again temporarily.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/saucy/subversion
This branch contains Public information 
Everyone can see this information.

Subscribers