Merge subversion 1.6.5dfsg-1 (main) from Debian unstable (main).

libserf-0-0-dev is a new build dependency, so someone will need to file a main inclusion report for serf.

The main inclusion report for serf is bug 410624.

The MIR approval team would prefer to keep serf in universe for now, so here’s an updated debdiff that also removes the serf backend. I’ve built and tested it in my PPA:
https://launchpad.net/~anders-kaseorg/+archive/subversion-1.6

Dear release team,

This bug has been pending sponsorship since before FeatureFreeze. The current upstream version of Subversion in Karmic is 1.6.1, fairly early on in the lifetime of the 1.6.x series. This merge would see it brounght up to 1.6.5, incorporating many upstream bugfixes and at least one upstream security fix. I think it would ultimately more useful and more maintainable to see Karmic released with a newer upstream version rather than putting work into backporting the security fix and whatever handful of bugfixes are problematic enough to be bothered with.

Obviously this needs to happed sooner rather than later, since it's a fairly big change, but as we're currently only hours after FeatureFreeze I hope this exception can be considered reasonable.

I am including the relevant upstream change summary:

Version 1.6.5
(21 Aug 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.5

 User-visible changes:
  * fix mod_dav_svn directory view links to preserve peg revisions (r38021)
  * do not error on Windows when ALLUSERPROFILE dir nonexistent (r38053, -5, -7)
  * properly escape lock comments over ra_neon (r38101, -2)
  * allow syncing copies of '/' over ra_neon and ra_serf (issue #3438)
  * make 'svnlook diff' show empty added or deleted files (r38458)
  * fix building with Apache 2.4 (r36720)
  * fix possible data loss on ext4 and GPFS filesystems (issue #3442)
  * resolve symlinks when checking for ~/.subversion (r36023)
  * don't let svn+ssh SIGKILL ssh processes (issue #2580)
  * allow PLAIN and LOGIN mechanisms with SASL in svnserve (r38205)
  * fix peg revision parsing in filenames like '<email address hidden>' (issue #3416)
  * fix detection of Apache <2.0.56 (r38290, -3, -4)
  * don't pretend to do tree conflict resolution (r38799, -801, -805)
  * fix data corruption when syncing from svnserve to mod_dav_svn (r38686, -7)
  * fix GNOME Keyring with '--non-interactive' option (r38222, -3, -61, -410)
  * fixed: false "File '...' already exists" error during commit (issue #3119)

 Developer-visible changes:
  * avoid referencing uninitialized variables (r38388)
  * plug a couple of error leaks (r38572)
  * improve windows test output (r38616, -7, -9, -49)

Version 1.6.4
(06 Aug 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.4

 User-visible changes:
  * fixed: heap overflow vulnerability on server and client
           See CVE-2009-2411, and descriptive advisory at
           http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt

Version 1.6.3
(22 Jun 2009, from /branches/1.6.x)
http://svn.collab.net/repos/svn/tags/1.6.3

 User-visible changes:
  * fix segfault in WC->URL copy (r37646, -56)
  * let 'svnadmin load' tolerate mergeinfo with "\r\n" (r37768)
  * make svnsync normalize svn:* props to LF line endings (issue #3404)
  * better integration with external merge tools (r36178)
  * return a friendly error message for 'svn diff' (r37735)
  * update dsvn.el for 1.6 (r37774)
  * don't allow setting of props on out-of-date dirs under neon (r37745)
  * improve BASH completion (r36450, -52, -70, -79, -538)
  * always show tree conflicts with 'svn st' (issue #3382)
  * improve correctness of...

That looks fine, approved.

This bug was fixed in the package subversion - 1.6.5dfsg-1ubuntu1

---------------
subversion (1.6.5dfsg-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable (LP: #406245), remaining changes:
    - Create pot file on build.
    - Build a python-subversion-dbg package.
    - (Build-)depend on default-jre-headless/-jdk.
    - Do not apply java-build patch.
    - Don't build for python2.4, not in main.
    - debian/rules: Manually create the doxygen output directory, otherwise
      we get weird build failures when running parallel builds.
  * Disable the serf backend because serf is in universe.

subversion (1.6.5dfsg-1) unstable; urgency=low

  * New upstream release.
    - Resolves symlinks in ~/.subversion. (Closes: #541202)
  * patches/ssh-no-controlmaster: Replace with the much simpler approach
    upstream demonstrates with 'ssh -q'.
  * patches/no-dbus-spam: New patch to shut up the gnome-keyring library
    when it can't initialize. (Closes: #542403)
  * patches/ruby-test-tree-conflicts: New patch from upstream trunk, to
    fix two ruby test failures.

subversion (1.6.4dfsg-1) unstable; urgency=high

  * New upstream security release.
    - Fix CVE-2009-2411, heap overflows in svndiff stream parsing.

subversion (1.6.3dfsg-1) unstable; urgency=low

  * New upstream release.
  * Update package sections corresponding to recent ftpmaster work.
  * Re-enable libsvn_ra_serf, now that serf 0.3.0-0.2 is available.
  * Add symbols file for libsvn1, for finer-grained dependencies.

 -- Anders Kaseorg <email address hidden> Mon, 24 Aug 2009 19:09:22 -0400