-
subversion (1.8.8-1ubuntu3.3) trusty-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution on clients through
malicious svn+ssh URLs
- debian/patches/CVE-2017-9800-1.8.18.patch: ensure that host
arguments to ssh cannot be treated as ssh options.
- CVE-2017-9800
* SECURITY UPDATE: svnserve/sasl may authenticate users using the
wrong realm.
- debian/patches/CVE-2016-2167.patch: Reject invalid usernames when
SASL is being used.
- CVE-2016-2167
* SECURITY UPDATE: remotely triggerable crash in the mod_authz_svn
module.
- debian/patches/CVE-2016-2167.patch: Reject requests with invalid
Destination headers.
- CVE-2016-2168
* SECURITY UPDATE: denial-of-service caused by exponential XML
entity expansion ("billion laughs attack").
- debian/patches/CVE-2016-8734-1,8.patch: properly error out the
parser on invalid data.
- CVE-2016-8734
* SECURITY UPDATE: mod_dav_svn: integer overflow when parsing
skel-encoded request bodies.
- debian/patches/CVE-2015-5343.patch: Defer memory allocation
when reading skel-encoded requests.
- CVE-2015-5343
-- Steve Beattie <email address hidden> Thu, 10 Aug 2017 00:00:57 -0700
-
subversion (1.8.8-1ubuntu3.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via non-existing REPORT request
- debian/patches/CVE-2014-3580.patch: make sure repo patchs are
specified in subversion/mod_dav_svn/reports/deleted-rev.c,
subversion/mod_dav_svn/reports/file-revs.c,
subversion/mod_dav_svn/reports/get-location-segments.c,
subversion/mod_dav_svn/reports/get-locations.c,
subversion/mod_dav_svn/reports/inherited-props.c,
subversion/mod_dav_svn/reports/log.c,
subversion/mod_dav_svn/reports/mergeinfo.c.
- CVE-2014-3580
* SECURITY UPDATE: denial of service via non-existing virtual transaction
name
- debian/patches/CVE-2014-8108.patch: check transaction names and
activity ids in subversion/mod_dav_svn/repos.c.
- CVE-2014-8108
* SECURITY UPDATE: denial of service via large number of REPORT requests
- debian/patches/CVE-2015-0202.patch: refactor locking in
subversion/libsvn_fs_fs/tree.c.
- CVE-2015-0202
* SECURITY UPDATE: denial of service via crafted parameter combinations
- debian/patches/CVE-2015-0248.patch: properly handle missing revision
numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
subversion/svnserve/serve.c.
- CVE-2015-0248
* SECURITY UPDATE: svn:author property spoofing issue
- debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
in subversion/mod_dav_svn/deadprops.c.
- CVE-2015-0251
* SECURITY UPDATE: incorrect anonymous access restriction
- debian/patches/CVE-2015-3184.patch: use force_authn() in Makefile.in,
build/ac-macros/apache.m4, build/run_tests.py,
subversion/mod_authz_svn/mod_authz_svn.c,
subversion/tests/cmdline/README,
subversion/tests/cmdline/davautocheck.sh,
subversion/tests/cmdline/mod_authz_svn_tests.py,
subversion/tests/cmdline/svntest/main.py, win-tests.py.
- CVE-2015-3184
* SECURITY UPDATE: sensitive path information disclosure
- debian/patches/CVE-2015-3187.patch: fix order in
subversion/libsvn_repos/rev_hunt.c, added tests to
subversion/tests/cmdline/authz_tests.py,
subversion/tests/libsvn_repos/repos-test.c.
- CVE-2015-3187
* debian/control: Depend on specific version of apache2-dev and
apache2-bin to make sure fix for CVE-2015-3185 is included.
-- Marc Deslauriers <email address hidden> Wed, 19 Aug 2015 14:32:44 -0400
-
subversion (1.8.8-1ubuntu3.1) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect ssl cert validation
- debian/patches/CVE-2014-3522.patch: properly validate hostnames in
subversion/include/private/svn_cert.h,
subversion/libsvn_ra_serf/util.c,
subversion/libsvn_subr/dirent_uri.c,
added tests to subversion/tests/libsvn_subr/dirent_uri-test.c.
- CVE-2014-3522
* SECURITY UPDATE: md5 collision authentication leak
- debian/patches/CVE-2014-3528.patch: check if realm matches in
subversion/libsvn_subr/config_auth.c.
- CVE-2014-3528
-- Marc Deslauriers <email address hidden> Wed, 13 Aug 2014 10:28:59 -0400
-
subversion (1.8.8-1ubuntu3) trusty; urgency=medium
* Run the tests on powerpc again.
-- Matthias Klose <email address hidden> Mon, 24 Feb 2014 11:05:59 +0100
-
subversion (1.8.8-1ubuntu2) trusty; urgency=medium
* Re-add lost python-all-dbg build dependency.
-- Matthias Klose <email address hidden> Sun, 23 Feb 2014 17:15:51 +0100
-
subversion (1.8.8-1ubuntu1) trusty; urgency=medium
* Merge with Debian; remaining changes:
- Create pot file on build.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-dbg.
- Build-depend on default-jre-headless/-jdk.
- only build on requested python versions (X-Python-Versions:)
- Do not apply java-build patch.
- Drop svn2cl to Suggests; we don't particularly need it in Ubuntu main
- Add DEP-8 test for Apache functionality.
- debian/patches/ruby19.patch: disable check for ruby 1.8, and backport
a few changes to the test suite.
- debian/control: added ruby-test-unit to Build-Depends
- Check for libtoolize instead of libtool, which is not used for
the build.
- Temporarily disable running the tests on powerpc.
subversion (1.8.8-1) unstable; urgency=medium
* New upstream release. Refresh patches.
- Remove backported patches sqlite_3.8.x_workaround & swig-pl_build_fix
- Fix integer overflows with 32-bit svnserv, which could cause an infinite
loop (Closes: #738840) or inaccurate statistics (Closes: #738841)
- Work around SQLite not honoring umask when creating rep-cache.db.
(Closes: #735446)
- Includes security fix:
+ CVE-2014-0032: mod_dav_svn crash when handling certain requests with
SVNListParentPath on (Closes: #737815)
* Add a subversion-dbg package. (Closes: #508147)
* Bump libdb5.1-dev → libdb5.3-dev (Closes: #738650)
-- Matthias Klose <email address hidden> Sun, 23 Feb 2014 16:47:32 +0100
-
subversion (1.8.5-2ubuntu3) trusty; urgency=medium
* Temporarily disable running the tests on powerpc.
-- Matthias Klose <email address hidden> Sat, 22 Feb 2014 14:39:49 +0100
-
subversion (1.8.5-2ubuntu2) trusty; urgency=medium
* Make the python and ruby tests verbose.
* Ignore the test results of the python-dbg bindings.
-- Matthias Klose <email address hidden> Fri, 21 Feb 2014 13:13:07 +0100
-
subversion (1.8.5-2ubuntu1) trusty; urgency=medium
* Merge with Debian; remaining changes:
- Create pot file on build.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-dbg.
- Build-depend on default-jre-headless/-jdk.
- only build on requested python versions (X-Python-Versions:)
- Do not apply java-build patch.
- Drop svn2cl to Suggests; we don't particularly need it in Ubuntu main
- Add DEP-8 test for Apache functionality.
- Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
- debian/patches/ruby19.patch: disable check for ruby 1.8, and backport
a few changes to the test suite.
- debian/control: added ruby-test-unit to Build-Depends
- Check for libtoolize instead of libtool, which is not used for
the build.
subversion (1.8.5-2) unstable; urgency=medium
* rules: Move comment out of multi-line variable definition so configure is
run with the correct flags. (Closes: #735609)
* control: Remove libsvn-ruby1.8 Provides from ruby-svn.
* Add patches/swig-pl_build_fix, from upstream, to fix a build failure when
configure is run with --enable-sqlite-compatibility.
subversion (1.8.5-1) unstable; urgency=low
[ Peter Samuelson ]
* New upstream release. (Closes: #725787) Rediff patches:
- Remove apr-abi1 (applied upstream), rename apr-abi2 to apr-abi
- Remove loosen-sqlite-version-check (shouldn't be needed)
- Remove java-osgi-metadata (applied upstream)
- svnmucc prompts for a changelog if none is provided. (Closes: #507430)
- Remove fix-bdb-version-detection, upstream uses "apu-config --dbm-libs"
- Remove ruby-test-wc (applied upstream)
- Fix “svn diff -r N file” when file has svn:mime-type set.
(Closes: #734163)
- Support specifying an encoding for mod_dav_svn's environment in which
hooks are run. (Closes: #601544)
- Fix ordering of “svnadmin dump” paths with certain APR versions.
(Closes: #687291)
- Provide a better error message when authentication fails with an
svn+ssh:// URL. (Closes: #273874)
- Updated Polish translations. (Closes: #690815)
[ James McCoy ]
* Remove all traces of libneon, replaced by libserf.
* patches/sqlite_3.8.x_workaround: Upstream fix for wc-queries-test test
failurse.
* Run configure with --with-apache-libexecdir, which allows removing part of
patches/rpath.
* Re-enable auth-test as upstream has fixed the problem of picking up
libraries from the environment rather than the build tree.
(Closes: #654172)
* Point LD_LIBRARY_PATH at the built auth libraries when running the svn
command during the build. (Closes: #678224)
* Add a NEWS entry describing how to configure mod_dav_svn to understand
UTF-8. (Closes: #566148)
* Remove ancient transitional package, libsvn-ruby.
* Enable compatibility with Sqlite3 versions back to Wheezy.
* Enable hardening flags. (Closes: #734918)
* patches/build-fixes: Enable verbose build logs.
* Build against the default ruby version. (Closes: #722393)
-- Matthias Klose <email address hidden> Fri, 21 Feb 2014 10:47:48 +0100
-
subversion (1.7.14-1ubuntu2) trusty; urgency=medium
* Check for libtoolize instead of libtool, which is not used for
the build.
-- Matthias Klose <email address hidden> Mon, 06 Jan 2014 23:47:01 +0100
-
subversion (1.7.14-1ubuntu1) trusty; urgency=medium
* Merge with Debian; remaining changes:
- Create pot file on build.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-dbg.
- Build-depend on default-jre-headless/-jdk.
- only build on requested python versions (X-Python-Versions:)
- Do not apply java-build patch.
- Drop svn2cl to Suggests; we don't particularly need it in Ubuntu main
- Add DEP-8 test for Apache functionality.
- Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
- debian/control, debian/rules: build against default ruby, instead of
ruby1.8.
- debian/patches/ruby19.patch: disable check for ruby 1.8, and backport
a few changes to the test suite.
- debian/control: added ruby-test-unit to Build-Depends
subversion (1.7.14-1) unstable; urgency=medium
* New upstream version.
- mod_dav_svn: Prevent crashes with some 3rd party modules. (Closes:
#728352)
- Includes security fix:
+ CVE-2013-4505: mod_dontdothat restrictions bypassed by relative
requests (Closes: #730541)
+ CVE-2013-4558: mod_dav_svn assertion when SVNAutoversioning is
enabled.
* Bump compat to debhelper 8
* Use shlibs.local to handle intrapackage dependencies on private libraries.
* rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev. (Closes:
#711911)
* Remove obsolete conffiles under /etc/svn2cl. (Closes: #677990)
subversion (1.7.13-3) unstable; urgency=low
* Remove architecture exclusions for libsvn-java. (Closes: #710498)
* Fix multi-arch Python include paths. (Closes: #698443)
* Add strict Depends on libsvn1 to libapach2-mod-svn since the latter
leverages some internal APIs and therefore must be upgraded in lock step.
(Closes: #705464)
* Standards-Version 3.9.5 (no change needed).
* Add strict minimum Depends on libsqlite3-0 to work around lack of build
time dependency information. (Closes: #721878)
-- Matthias Klose <email address hidden> Mon, 06 Jan 2014 23:18:34 +0100
-
subversion (1.7.13-2ubuntu3) trusty; urgency=low
* debian/control, debian/rules: build against default ruby, instead of
ruby1.8. (LP: #1254052)
* debian/patches/ruby19.patch: disable check for ruby 1.8, and backport
a few changes to the test suite.
* debian/control: added ruby-test-unit to Build-Depends
-- Marc Deslauriers <email address hidden> Mon, 02 Dec 2013 10:03:16 -0500
-
subversion (1.7.13-2ubuntu2) trusty; urgency=low
* Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
-- Dmitrijs Ledkovs <email address hidden> Mon, 04 Nov 2013 08:01:36 +0000
-
subversion (1.7.13-2ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- Create pot file on build.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-dbg.
- Build-depend on default-jre-headless/-jdk.
- only build on requested python versions (X-Python-Versions:)
- Do not apply java-build patch.
- Drop svn2cl to Suggests; we don't particularly need it in Ubuntu main
- Add DEP-8 test for Apache functionality.
subversion (1.7.13-2) unstable; urgency=low
* Remove unnecessary libapache2-svn.prem. (Closes: #726717)
subversion (1.7.13-1) unstable; urgency=low
[ Peter Samuelson ]
* New upstream version. (Closes: #719476)
- patches/CVE-2013-1968.patch, patches/CVE-2013-2112.patch: remove,
obsoleted
- Includes security fixes:
+ CVE-2013-4131: Remotely triggered crash in mod_dav_svn (Closes:
#717794)
+ CVE-2013-4277: Local privilege escalation vulnerability via symlink
attack (Closes: #721542)
[ James McCoy ]
* Add myself to uploaders.
* Acknowledge NMUs.
* Canonicalize the Vcs-* URLs. Thanks, Lintian.
* Remove Guilherme de S. Pastore from Uploaders. (Closes: #698270)
* Add Breaks: svnmailer (<< 1.0.9) to python-subversion. (Closes: #726491)
* Remove obsolete conffile /etc/emacs/site-start.d/50psvn.el. (Closes:
#705033)
-- William Grant <email address hidden> Sat, 19 Oct 2013 11:53:15 +0000
-
subversion (1.7.9-1+nmu6ubuntu3) saucy; urgency=low
* Re-enable kwallet support on arm64 now that kde4libs is built.
-- William Grant <email address hidden> Tue, 15 Oct 2013 23:25:04 +1100
