Ubuntu
subversion package

Subversion 1.6.13 security update

Bug #659362 reported by Heimen Stoffels on 2010-10-12

272

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	subversion (Ubuntu)	Fix Released	Medium	Unassigned
	Karmic	Fix Released	Medium	Unassigned
	Lucid	Fix Released	Medium	Unassigned
	Maverick	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: subversion

On October 1, Subversion 1.6.13 was released. It contains a security fix.

"Subversion 1.6.13, the latest stable version of Subversion, has been released. For more information, see the release announcement or the change log. Of note, this release addresses CVE-2010-3315, a security issue when using SVNPathAuthz short_circuit."

So either 1.6.13 must be thrown into the updates of 10.10 (which currently features 1.6.12) or 1.6.12 needs to be patched fixing the issue.

Tags:

CVE References

2010-3315

Heimen Stoffels (vistaus) on 2010-10-12

visibility:

private → public

Marc Deslauriers (mdeslaur) on 2010-11-04

Changed in subversion (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-12-14:

#1

This is fixed in natty. Karmic, Lucid and Maverick still need to be fixed. Source is in main, binaries are in universe.

Changed in subversion (Ubuntu):
status:	Confirmed → Fix Released
Changed in subversion (Ubuntu Karmic):
status:	New → Confirmed
Changed in subversion (Ubuntu Lucid):
status:	New → Confirmed
Changed in subversion (Ubuntu Maverick):
status:	New → Confirmed
Changed in subversion (Ubuntu Karmic):
importance:	Undecided → Medium
Changed in subversion (Ubuntu Lucid):
importance:	Undecided → Medium
Changed in subversion (Ubuntu Maverick):
importance:	Undecided → Medium

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-12-14:

#2

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message

Arvind S Raj (arvindsraj-deactivatedaccount) wrote on 2010-12-21:

#3

Checked debian they are still on 1.6.12-same version as Ubuntu. Current upstream version 1.6.15 with a lot of changes (http://svn.apache.org/repos/asf/subversion/trunk/CHANGES). Should 1.6.15 be used? or just patch the security hole by using 1.6.13?

Revision history for this message

Arvind S Raj (arvindsraj-deactivatedaccount) wrote on 2010-12-22:

#4

subversion_maverick.debdiff Edit (1.8 KiB, text/plain)

Patch for maverick-backport from natty.

Revision history for this message

Arvind S Raj (arvindsraj-deactivatedaccount) wrote on 2010-12-22:

#5

subversion_lucid.debdiff Edit (1.8 KiB, text/plain)

Patch for lucid-backport from natty.

Revision history for this message

Arvind S Raj (arvindsraj-deactivatedaccount) wrote on 2010-12-22:

#6

subversion_karmic.debdiff Edit (1.8 KiB, text/plain)

Patch for karmic-backport from natty.

Changed in subversion (Ubuntu):
assignee:	nobody → Arvind S Raj (arvindsraj)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-10-07:

#7

This bug got fixed by the following USN:
http://www.ubuntu.com/usn/usn-1053-1/

Changed in subversion (Ubuntu Karmic):
status:	Confirmed → Fix Released
Changed in subversion (Ubuntu Lucid):
status:	Confirmed → Fix Released
Changed in subversion (Ubuntu Maverick):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.