-
subversion (1.9.3-2ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: Remotely triggerable DoS vulnerability in svnserve
'get-deleted-rev'
- debian/patches/CVE-2018-11782.patch: properly handle certain replies
in subversion/libsvn_ra_svn/client.c, subversion/svnserve/serve.c,
subversion/tests/libsvn_ra/ra-test.c.
- CVE-2018-11782
* SECURITY UPDATE: Remote unauthenticated denial-of-service in svnserve
- debian/patches/CVE-2019-0203.patch: properly handle errors in
subversion/svnserve/serve.c.
- CVE-2019-0203
* WARNING: this update does _not_ include the changes from
(1.9.3-2ubuntu1.2) in xenial-proposed.
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 09:55:16 -0400
-
subversion (1.9.3-2ubuntu1.2) xenial; urgency=medium
* Backport patches/perl-swig-crash from upstream to fix crashes with Perl
bindings, commonly seen when using git-svn (LP: #1451028)
-- James McCoy <email address hidden> Wed, 14 Mar 2018 22:29:16 -0400
-
subversion (1.9.3-2ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution on clients through
malicious svn+ssh URLs
- debian/patches/CVE-2017-9800-1.9.6.patch: ensure that host
arguments to ssh cannot be treated as ssh options.
- CVE-2017-9800
* SECURITY UPDATE: svnserve/sasl may authenticate users using the
wrong realm.
- debian/patches/CVE-2016-2167.patch: Reject invalid usernames when
SASL is being used.
- CVE-2016-2167
* SECURITY UPDATE: remotely triggerable crash in the mod_authz_svn
module.
- debian/patches/CVE-2016-2167.patch: Reject requests with invalid
Destination headers.
- CVE-2016-2168
* SECURITY UPDATE: denial-of-service caused by exponential XML
entity expansion ("billion laughs attack").
- debian/patches/CVE-2016-8734.patch: properly error out the
parser on invalid data.
- CVE-2016-8734
-- Steve Beattie <email address hidden> Wed, 09 Aug 2017 23:16:19 -0700
-
subversion (1.9.3-2ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
- Build a python-subversion-dbg package.
- Build-depend on python-all-dbg.
- Only build on requested python versions (X-Python-Versions:).
- debian/patches/verbose-tests: Make tests verbose.
subversion (1.9.3-2) unstable; urgency=medium
* Remove -Wdate-time from CPPFLAGS passed to swig. (Closes: #809054)
-- Matthias Klose <email address hidden> Mon, 14 Mar 2016 08:29:53 +0100
-
subversion (1.9.3-1ubuntu2) xenial; urgency=medium
* No-change rebuild for ruby2.3-only support.
-- Matthias Klose <email address hidden> Sun, 13 Mar 2016 21:17:54 +0000
-
subversion (1.9.3-1ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
- Build a python-subversion-dbg package.
- Build-depend on python-all-dbg.
- Only build on requested python versions (X-Python-Versions:).
- debian/patches/verbose-tests: Make tests verbose.
subversion (1.9.3-1) unstable; urgency=high
* New upstream release.
+ Security fixes
- CVE-2015-5259: Heap overflow and out-of-bounds read in svn:// protocol
parser
- CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn
+ Fix dumps of no-op changes with “svnadmin dump”. (Closes: #803725)
+ Fix segfault when performing a diff when repository is on server root.
(Closes: #802611)
+ Fix translations of commit notifications. (Closes: #802156)
+ Fix authz with mod_auth_ntlm/mod_auth_kerb. (Closes: #797216)
+ Restore reporting (un)lock errors as failures. (Closes: #796781)
subversion (1.9.2-3) unstable; urgency=medium
* Re-enable libsvn-java on kfreebsd-*.
* Ensure swig2.0 is used to avoid build failures, until upstream figures
out how to work with swig >= 3.0. (Closes: #804389)
* Fix FTBFS with Ruby 2.2 (Closes: #803589)
+ Add ruby-frozen-nil patch to create a new Object instead of trying to
make modifications to the nil object.
+ Add ruby-test-unit patch to be compatible with the ruby-test-unit gem as
well as the older test-unit API provided by minitest.
subversion (1.9.2-3ubuntu2) xenial; urgency=medium
* Rebuild for Perl 5.22.1.
-- Matthias Klose <email address hidden> Fri, 08 Jan 2016 10:04:26 +0100
-
subversion (1.9.2-3ubuntu2) xenial; urgency=medium
* Rebuild for Perl 5.22.1.
-- Colin Watson <email address hidden> Fri, 18 Dec 2015 11:23:17 +0000
-
subversion (1.9.2-3ubuntu1) xenial; urgency=medium
* Merge with Debian unstable, remaining changes:
- Build a python-subversion-dbg package.
- Build-depend on python-all-dbg.
- Only build on requested python versions (X-Python-Versions:).
- debian/patches/verbose-tests: Make tests verbose.
* Drop CVE patches that are included in this new upstream version.
subversion (1.9.2-3) unstable; urgency=medium
* Re-enable libsvn-java on kfreebsd-*.
* Ensure swig2.0 is used to avoid build failures, until upstream figures
out how to work with swig >= 3.0. (Closes: #804389)
* Fix FTBFS with Ruby 2.2 (Closes: #803589)
+ Add ruby-frozen-nil patch to create a new Object instead of trying to
make modifications to the nil object.
+ Add ruby-test-unit patch to be compatible with the ruby-test-unit gem as
well as the older test-unit API provided by minitest.
subversion (1.9.2-2) unstable; urgency=medium
* Fix FTBFS with older Ruby versions by using RbConfig['vendorarchdir'] to
find the .a/.la files we're deleting.
subversion (1.9.2-1) unstable; urgency=medium
* New upstream release
+ Fix crash when saving credentials in kwallet. (Closes: #736879,
LP: #563179)
subversion (1.9.1-1) unstable; urgency=medium
* New upstream release
+ Remove direct use of svn_fs_open2 from libsvn_fs_x, thus fixing the
missing svn_fs_open2 symbol. (Closes: #795160)
* Enable gpg verification of new releases.
* Rename bash-completion file to svn and add symlinks for all other commands
which have completion. (Closes: #797648)
* debian/tests/libapache2-mod-svn: Stop apache2 before ending the test, to
avoid leaving stray processes running.
subversion (1.9.0-1) unstable; urgency=medium
* Upload to unstable
* New upstream release.
+ Security fixes
- CVE-2015-3184: Mixed anonymous/authenticated path-based authz with
httpd 2.4
- CVE-2015-3187: svn_repos_trace_node_locations() reveals paths hidden
by authz
* Add >= 2.7 requirement for python-all-dev Build-Depends, needed to run
tests.
* Remove Build-Conflicts against ruby-test-unit. (Closes: #791844)
* Remove patches/apache_module_dependency in favor of expressing the
dependencies in authz_svn.load/dav_svn.load.
* Build-Depend on apache2-dev (>= 2.4.16) to ensure ap_some_authn_required()
is available when building mod_authz_svn and Depend on apache2-bin (>=
2.4.16) for runtime support.
subversion (1.9.0~rc3-1) experimental; urgency=medium
* New upstream pre-release.
* Point the Vcs-* URLs at the right directory
subversion (1.9.0~rc2-2) experimental; urgency=medium
* Bump minimum JDK version to 1.6 in accordance with upstream change,
“javahl: requires Java 1.6 (r1677003)”
- This causes libsvn-java to no longer be available where gcj is the only
available Java implementation
subversion (1.9.0~rc2-1) experimental; urgency=medium
* New upstream pre-release. Refresh patches.
subversion (1.9.0~rc1-2) experimental; urgency=medium
* Install bash completion to /usr/share/bash-completion/completions
* Add dav_svn_get_repos_path2 symbol to apache_module_dependency patch.
(Closes: #786903)
subversion (1.9.0~rc1-1) experimental; urgency=medium
* New upstream pre-release. Refresh patches.
+ Remove backported patches libtoolize, ruby2.0-build-fixes,
test-failure-with-optimizations, CVE-2014-3580, CVE-2014-8108,
CVE-2015-0202, CVE-2015-0248, CVE-2015-0251.
+ New svn-vendor tool, alternative to svn_load_dirs.
+ svn-bench renamed to svnbench and moved to subversion package.
+ fsfs-stats tool replaced by the "stats" subcommand of the new svnfsfs
command.
+ Minimum supported version of serf bumped to 1.3.4.
+ pkgconfig files are available for the various libsvn_* libraries.
+ Fix “access forbidden” errors when performing a diff on a remote
repository when the user does not have access to the parent directory.
(Closes: #739278)
* debian/rules: Add new generated files to clean target
* debian/control:
+ Remove Troy Heber from Uploaders, at his request. Thanks for all the
fish!
+ Add dh-python to Build-Depends
-- Adam Conrad <email address hidden> Thu, 10 Dec 2015 09:44:29 -0700
-
subversion (1.8.13-1ubuntu3) wily; urgency=medium
* No-change rebuild to add ruby2.2 support.
-- Matthias Klose <email address hidden> Tue, 08 Sep 2015 14:49:49 +0000