UbuntuUpdates.org

Package "libsvn1"

Name: libsvn1

Description:

Shared libraries used by Apache Subversion

Latest version: 1.9.3-2ubuntu1.3
Release: xenial (16.04)
Level: updates
Repository: main
Head package: subversion
Homepage: http://subversion.apache.org/

Links


Download "libsvn1"


Other versions of "libsvn1" in Xenial

Repository Area Version
base main 1.9.3-2ubuntu1
security main 1.9.3-2ubuntu1.3

Changelog

Version: 1.9.3-2ubuntu1.3 2019-07-31 18:07:12 UTC

  subversion (1.9.3-2ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Remotely triggerable DoS vulnerability in svnserve
    'get-deleted-rev'
    - debian/patches/CVE-2018-11782.patch: properly handle certain replies
      in subversion/libsvn_ra_svn/client.c, subversion/svnserve/serve.c,
      subversion/tests/libsvn_ra/ra-test.c.
    - CVE-2018-11782
  * SECURITY UPDATE: Remote unauthenticated denial-of-service in svnserve
    - debian/patches/CVE-2019-0203.patch: properly handle errors in
      subversion/svnserve/serve.c.
    - CVE-2019-0203
  * WARNING: this update does _not_ include the changes from
    (1.9.3-2ubuntu1.2) in xenial-proposed.

 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 09:55:16 -0400

Source diff to previous version
CVE-2018-11782 RESERVED
CVE-2019-0203 RESERVED

Version: 1.9.3-2ubuntu1.1 2017-08-11 09:07:04 UTC

  subversion (1.9.3-2ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution on clients through
    malicious svn+ssh URLs
    - debian/patches/CVE-2017-9800-1.9.6.patch: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - CVE-2017-9800
  * SECURITY UPDATE: svnserve/sasl may authenticate users using the
    wrong realm.
    - debian/patches/CVE-2016-2167.patch: Reject invalid usernames when
      SASL is being used.
    - CVE-2016-2167
  * SECURITY UPDATE: remotely triggerable crash in the mod_authz_svn
    module.
    - debian/patches/CVE-2016-2167.patch: Reject requests with invalid
      Destination headers.
    - CVE-2016-2168
  * SECURITY UPDATE: denial-of-service caused by exponential XML
    entity expansion ("billion laughs attack").
    - debian/patches/CVE-2016-8734.patch: properly error out the
      parser on invalid data.
    - CVE-2016-8734

 -- Steve Beattie <email address hidden> Wed, 09 Aug 2017 23:16:19 -0700

CVE-2017-9800 Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url
CVE-2016-2167 The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication
CVE-2016-2168 The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote
CVE-2016-8734 Unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://



About   -   Send Feedback to @ubuntu_updates