[ubuntu/trusty-security] subversion 1.8.8-1ubuntu3.3 (Accepted)
Steve Beattie
sbeattie at ubuntu.com
Fri Aug 11 05:50:49 UTC 2017
subversion (1.8.8-1ubuntu3.3) trusty-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution on clients through
malicious svn+ssh URLs
- debian/patches/CVE-2017-9800-1.8.18.patch: ensure that host
arguments to ssh cannot be treated as ssh options.
- CVE-2017-9800
* SECURITY UPDATE: svnserve/sasl may authenticate users using the
wrong realm.
- debian/patches/CVE-2016-2167.patch: Reject invalid usernames when
SASL is being used.
- CVE-2016-2167
* SECURITY UPDATE: remotely triggerable crash in the mod_authz_svn
module.
- debian/patches/CVE-2016-2167.patch: Reject requests with invalid
Destination headers.
- CVE-2016-2168
* SECURITY UPDATE: denial-of-service caused by exponential XML
entity expansion ("billion laughs attack").
- debian/patches/CVE-2016-8734-1,8.patch: properly error out the
parser on invalid data.
- CVE-2016-8734
* SECURITY UPDATE: mod_dav_svn: integer overflow when parsing
skel-encoded request bodies.
- debian/patches/CVE-2015-5343.patch: Defer memory allocation
when reading skel-encoded requests.
- CVE-2015-5343
Date: 2017-08-10 10:13:06.894699+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
https://launchpad.net/ubuntu/+source/subversion/1.8.8-1ubuntu3.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list