UbuntuUpdates.org

Package "subversion"

Name: subversion

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache Subversion server modules for Apache httpd
  • Apache Subversion server modules for Apache httpd (dummy package)
  • Java bindings for Apache Subversion
  • Ruby bindings for Apache Subversion (dummy package)

Latest version: 1.8.8-1ubuntu3.3
Release: trusty (14.04)
Level: security
Repository: universe

Links



Other versions of "subversion" in Trusty

Repository Area Version
base main 1.8.8-1ubuntu3
base universe 1.8.8-1ubuntu3
security main 1.8.8-1ubuntu3.3
updates main 1.8.8-1ubuntu3.3
updates universe 1.8.8-1ubuntu3.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.8.8-1ubuntu3.3 2017-08-11 07:07:05 UTC

  subversion (1.8.8-1ubuntu3.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution on clients through
    malicious svn+ssh URLs
    - debian/patches/CVE-2017-9800-1.8.18.patch: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - CVE-2017-9800
  * SECURITY UPDATE: svnserve/sasl may authenticate users using the
    wrong realm.
    - debian/patches/CVE-2016-2167.patch: Reject invalid usernames when
      SASL is being used.
    - CVE-2016-2167
  * SECURITY UPDATE: remotely triggerable crash in the mod_authz_svn
    module.
    - debian/patches/CVE-2016-2167.patch: Reject requests with invalid
      Destination headers.
    - CVE-2016-2168
  * SECURITY UPDATE: denial-of-service caused by exponential XML
    entity expansion ("billion laughs attack").
    - debian/patches/CVE-2016-8734-1,8.patch: properly error out the
      parser on invalid data.
    - CVE-2016-8734
  * SECURITY UPDATE: mod_dav_svn: integer overflow when parsing
    skel-encoded request bodies.
    - debian/patches/CVE-2015-5343.patch: Defer memory allocation
      when reading skel-encoded requests.
    - CVE-2015-5343

 -- Steve Beattie <email address hidden> Thu, 10 Aug 2017 00:00:57 -0700

Source diff to previous version
CVE-2017-9800 Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url
CVE-2016-2167 The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication
CVE-2016-2168 The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote
CVE-2016-8734 Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://
CVE-2015-5343 Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users t

Version: 1.8.8-1ubuntu3.2 2015-08-20 18:06:41 UTC

  subversion (1.8.8-1ubuntu3.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via non-existing REPORT request
    - debian/patches/CVE-2014-3580.patch: make sure repo patchs are
      specified in subversion/mod_dav_svn/reports/deleted-rev.c,
      subversion/mod_dav_svn/reports/file-revs.c,
      subversion/mod_dav_svn/reports/get-location-segments.c,
      subversion/mod_dav_svn/reports/get-locations.c,
      subversion/mod_dav_svn/reports/inherited-props.c,
      subversion/mod_dav_svn/reports/log.c,
      subversion/mod_dav_svn/reports/mergeinfo.c.
    - CVE-2014-3580
  * SECURITY UPDATE: denial of service via non-existing virtual transaction
    name
    - debian/patches/CVE-2014-8108.patch: check transaction names and
      activity ids in subversion/mod_dav_svn/repos.c.
    - CVE-2014-8108
  * SECURITY UPDATE: denial of service via large number of REPORT requests
    - debian/patches/CVE-2015-0202.patch: refactor locking in
      subversion/libsvn_fs_fs/tree.c.
    - CVE-2015-0202
  * SECURITY UPDATE: denial of service via crafted parameter combinations
    - debian/patches/CVE-2015-0248.patch: properly handle missing revision
      numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
      subversion/svnserve/serve.c.
    - CVE-2015-0248
  * SECURITY UPDATE: svn:author property spoofing issue
    - debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
      in subversion/mod_dav_svn/deadprops.c.
    - CVE-2015-0251
  * SECURITY UPDATE: incorrect anonymous access restriction
    - debian/patches/CVE-2015-3184.patch: use force_authn() in Makefile.in,
      build/ac-macros/apache.m4, build/run_tests.py,
      subversion/mod_authz_svn/mod_authz_svn.c,
      subversion/tests/cmdline/README,
      subversion/tests/cmdline/davautocheck.sh,
      subversion/tests/cmdline/mod_authz_svn_tests.py,
      subversion/tests/cmdline/svntest/main.py, win-tests.py.
    - CVE-2015-3184
  * SECURITY UPDATE: sensitive path information disclosure
    - debian/patches/CVE-2015-3187.patch: fix order in
      subversion/libsvn_repos/rev_hunt.c, added tests to
      subversion/tests/cmdline/authz_tests.py,
      subversion/tests/libsvn_repos/repos-test.c.
    - CVE-2015-3187
  * debian/control: Depend on specific version of apache2-dev and
    apache2-bin to make sure fix for CVE-2015-3185 is included.

 -- Marc Deslauriers Wed, 19 Aug 2015 14:32:44 -0400

Source diff to previous version
CVE-2014-3580 The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial o
CVE-2014-8108 The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial
CVE-2015-0202 The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large numbe
CVE-2015-0248 The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of
CVE-2015-0251 The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property
CVE-2015-3184 mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous a
CVE-2015-3187 The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows
CVE-2015-3185 The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may b

Version: 1.8.8-1ubuntu3.1 2014-08-14 19:06:43 UTC

  subversion (1.8.8-1ubuntu3.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect ssl cert validation
    - debian/patches/CVE-2014-3522.patch: properly validate hostnames in
      subversion/include/private/svn_cert.h,
      subversion/libsvn_ra_serf/util.c,
      subversion/libsvn_subr/dirent_uri.c,
      added tests to subversion/tests/libsvn_subr/dirent_uri-test.c.
    - CVE-2014-3522
  * SECURITY UPDATE: md5 collision authentication leak
    - debian/patches/CVE-2014-3528.patch: check if realm matches in
      subversion/libsvn_subr/config_auth.c.
    - CVE-2014-3528
 -- Marc Deslauriers <email address hidden> Wed, 13 Aug 2014 10:28:59 -0400

CVE-2014-3522 incorrect SSL certificate validation in Serf RA (repository access) layer
CVE-2014-3528 MD5 collision authentication leak



About   -   Send Feedback to @ubuntu_updates