Multiple vulnerabilities in Bionic, Focal and Jammy

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Subversion 1.9.7-4ubuntu1 and 1.9.12 fail to build on Ubuntu 18.04 because they use javah, that was removed in OpenJDK 10 (the default-jre-headless package installs OpenJDK 11), and there is no equivalent of the -force flag in its replacement (javac). Therefore, I am packaging the latest version of the next Subversion LTS (1.10.8) based on the packaging in Debian buster.

Patches for Focal and Jammy will be added today.

The attachment "subversion_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Thanks for the debdiffs. I've reviewed them:

- NACK on the bionic debdiff. Updating the version isn't acceptable for a security update. You can fix the FTBFS by using the java10-compatibility patch from buster.
- NACK on the focal debdiff. It doesn't look like you added the patch to the series file, so it's not getting applied during the build.
- NACK on the jammy debdiff. Please use targeted backported patches, and not a whole new upstream version.

Thanks for the updated patches - they look a lot better. Note, one thing we try and do is to add references to the patch files to indicate where they came from as per https://dep-team.pages.debian.net/deps/dep3/ - as an example see the update in http://launchpadlibrarian.net/596090586/subversion_1.14.1-3_1.14.1-3ubuntu0.1.diff.gz which shows these headers included in the new debian/patches/CVE-XXX.patch files which got added as part of that update.

Including these also makes it a lot easier for reviewers to ensure that the changes are 'official' and match what the upstream.

Also the debian/changelog entry is a bit terse compared to what we normally would do - as an example please see step 3 at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

However, in this case as you have already put a lot of work into these, I am happy to go with them as they are (although I am replacing the patches with the ones with dep-3 headers from the impish update linked above so we can keep as much attribution etc as possible). I will sponsor these later today/tomorrow.

Thanks again.

This bug was fixed in the package subversion - 1.13.0-3ubuntu0.2

---------------
subversion (1.13.0-3ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Remote unauthenticated denial-of-service in Subversion
    mod_authz_svn (LP: #1970228)
    - debian/patches/CVE-2020-17525.patch: Check for NULL repos_root_dirent in
      subversion/libsvn_repos/config_file.c.
    - CVE-2020-17525

 -- Luís Infante da Câmara <email address hidden> Thu, 12 May 2022 21:47:08 +0100

This bug was fixed in the package subversion - 1.9.7-4ubuntu1.1

---------------
subversion (1.9.7-4ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: CVE-2018-11782, CVE-2019-0203, CVE-2020-17525 (LP: #1970228)
    - debian/patches/CVE-2018-11782.patch: New patch from upstream security
      advisory, that also fixes CVE-2019-0203.
    - debian/patches/handle_missing_file.patch: New patch from Subversion 1.10
      needed to apply CVE-2020-17525.patch.
    - debian/patches/CVE-2020-17525.patch: New patch from upstream security
      advisory.
    - debian/patches/java10-compatibility: New patch from Debian buster to fix
      build failure with OpenJDK 11.

 -- Luís Infante da Câmara <email address hidden> Sat, 21 May 2022 08:24:25 +0100

This bug was fixed in the package subversion - 1.14.1-3ubuntu0.22.04.1

---------------
subversion (1.14.1-3ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: CVE-2021-28544, CVE-2022-24070 (LP: #1970228)
    - debian/patches/CVE-2021-28544.patch, debian/patches/CVE-2022-24070.patch:
      New patches from upstream security advisories.

 -- Luís Infante da Câmara <email address hidden> Sat, 21 May 2022 11:52:35 +0100

Setting impish to Incomplete since there is no debdiff to sponsor at this stage.

Removing ubuntu-security-sponsors since there is no debdiff to sponsor.