[ubuntu/trusty-updates] subversion 1.8.8-1ubuntu3.2 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Aug 20 17:58:15 UTC 2015 

subversion (1.8.8-1ubuntu3.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via non-existing REPORT request
    - debian/patches/CVE-2014-3580.patch: make sure repo patchs are
      specified in subversion/mod_dav_svn/reports/deleted-rev.c,
      subversion/mod_dav_svn/reports/file-revs.c,
      subversion/mod_dav_svn/reports/get-location-segments.c,
      subversion/mod_dav_svn/reports/get-locations.c,
      subversion/mod_dav_svn/reports/inherited-props.c,
      subversion/mod_dav_svn/reports/log.c,
      subversion/mod_dav_svn/reports/mergeinfo.c.
    - CVE-2014-3580
  * SECURITY UPDATE: denial of service via non-existing virtual transaction
    name
    - debian/patches/CVE-2014-8108.patch: check transaction names and
      activity ids in subversion/mod_dav_svn/repos.c.
    - CVE-2014-8108
  * SECURITY UPDATE: denial of service via large number of REPORT requests
    - debian/patches/CVE-2015-0202.patch: refactor locking in
      subversion/libsvn_fs_fs/tree.c.
    - CVE-2015-0202
  * SECURITY UPDATE: denial of service via crafted parameter combinations
    - debian/patches/CVE-2015-0248.patch: properly handle missing revision
      numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
      subversion/svnserve/serve.c.
    - CVE-2015-0248
  * SECURITY UPDATE: svn:author property spoofing issue
    - debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
      in subversion/mod_dav_svn/deadprops.c.
    - CVE-2015-0251
  * SECURITY UPDATE: incorrect anonymous access restriction
    - debian/patches/CVE-2015-3184.patch: use force_authn() in Makefile.in,
      build/ac-macros/apache.m4, build/run_tests.py,
      subversion/mod_authz_svn/mod_authz_svn.c,
      subversion/tests/cmdline/README,
      subversion/tests/cmdline/davautocheck.sh,
      subversion/tests/cmdline/mod_authz_svn_tests.py,
      subversion/tests/cmdline/svntest/main.py, win-tests.py.
    - CVE-2015-3184
  * SECURITY UPDATE: sensitive path information disclosure
    - debian/patches/CVE-2015-3187.patch: fix order in
      subversion/libsvn_repos/rev_hunt.c, added tests to
      subversion/tests/cmdline/authz_tests.py,
      subversion/tests/libsvn_repos/repos-test.c.
    - CVE-2015-3187
  * debian/control: Depend on specific version of apache2-dev and
    apache2-bin to make sure fix for CVE-2015-3185 is included.

Date: 2015-08-20 12:43:13.013130+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/subversion/1.8.8-1ubuntu3.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list