-
subversion (1.9.5-1+deb9u5) stretch-security; urgency=medium
* Non-maintainer upload.
* Backport upstream fix for segfault with new mod_http2 from DSA-4509-1.
Closes: #936034
-- Stefan Fritsch <email address hidden> Mon, 30 Sep 2019 09:03:27 +0200
-
subversion (1.9.5-1+deb9u4) stretch-security; urgency=high
* Backport security fixes from upstream:
+ CVE-2018-11782: Remotely triggerable DoS vulnerability in svnserve
'get-deleted-rev'.
+ CVE-2018-0203: Remote unauthenticated denial-of-service in Subversion
svnserve.
-- James McCoy <email address hidden> Mon, 29 Jul 2019 22:45:42 -0400
-
subversion (1.9.5-1+deb9u3) stretch; urgency=medium
* Backport r1827688, fixing a regression introduced in the fixes for SHA1
collisions, where commits would incorrectly fail with a "Filesystem is
corrupt" error if the delta length is a multiple of 16K.
-- James McCoy <email address hidden> Fri, 20 Jul 2018 22:35:40 -0400
-
subversion (1.9.5-1+deb9u2) stretch; urgency=medium
* Backport r1759116, working around an issue in APR's trunc API. This is a
prerequisite for the SHA1/shattered fixes.
* Backport r1794527 and r1796725 to prevent the possibility of rep-sharing
between a directory rep and a file/prop rep.
* Backport r1795993 and r1796470 to reject commits which would introduce
hash collisions with existing data, thus addressing the SHA1/shattered
issue.
-- James McCoy <email address hidden> Sat, 30 Jun 2018 09:44:22 -0400
-
subversion (1.9.5-1+deb9u1) stretch-security; urgency=high
* patches/CVE-2017-9800: Arbitrary code execution on clients through
malicious svn+ssh URLs in svn:externals and svn:sync-from-url
-- James McCoy <email address hidden> Tue, 08 Aug 2017 23:04:58 -0400
-
subversion (1.9.5-1) unstable; urgency=medium
* New upstream release
+ Security fix
- CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients
+ Fix corruption of "{DATE}" revision variable in swig-pl. (Closes:
#843138)
+ Remove patches:
- ruby-frozen-nil: Alternative fix committed upstream.
- Backported patches: perl-swig-crash, swig3.x-compat,
r1722164-swig-cppflags
* Fix #! lines for libsvn-{java,dev}.postinst. (Closes: #843292, #843288)
* Remove maintainer scripts that were handling pre-Jessie changes.
* Use dh_apache2's substvars in libapache2-mod-svn.
-- James McCoy <email address hidden> Tue, 29 Nov 2016 22:50:42 -0500
-
subversion (1.9.4-3) unstable; urgency=medium
* Build with hardening flags
* Backport patches/perl-swig-crash from upstream to fix crashes with the
Perl bindings, commonly seen when using git-svn. (Closes: #780246,
#534763)
-- James McCoy <email address hidden> Sat, 03 Sep 2016 14:45:04 -0400
-
subversion (1.9.4-2) unstable; urgency=medium
* Add Build-Depends on rename package and invoke rename instead of prename.
(Closes: #826057)
* Fix removal of .so/.la files for private libsvn_ra_{serf,local} from -dev
package.
* Replace use of debhelper's deprecated -s with -a
* Declare compliance with Policy 3.9.8, no changes required
* Use https URL for Vcs-Browser
-- James McCoy <email address hidden> Mon, 25 Jul 2016 22:48:13 -0400
-
subversion (1.9.4-1) unstable; urgency=high
* New upstream release.
+ Security fixes
- CVE-2016-2167: svnserve/sasl may authenticate users using the wrong
realm
- CVE-2016-2168: Remotely triggerable DoS vulnerability in mod_authz_svn
during COPY/MOVE authorization check
+ Remove merged patch ruby-test-unit.
+ Fix non-canonical path assertion in svn-graph.pl. (Closes: #702922)
+ Abort a commit on Ctrl-C. (Closes: #502222, #501971)
* d/rules: Remove an extraneous "done" to fix FTBFS when bash is $SHELL.
(Closes: #821930)
-- James McCoy <email address hidden> Wed, 27 Apr 2016 20:47:49 -0400
-
subversion (1.9.3-3) unstable; urgency=medium
* Remove transitional packages and maintainer snippets supporting upgrades
from pre-jessie systems.
* Enable libsvn-java on m68k and sparc64, since openjdk-8-jdk is now
available on those archs.
* Declare compliance with policy 3.9.7, no changes needed.
* Remove subversion-dbg package in favor of automatic -dbgsym package.
* Bump debhelper compat to 9.
* Fix FTBFS on mips(el) by working around GCC bug #816698
* Fix SWIG build issues
+ Backport patches/swig3.x-compat from upstream
+ Switch back to “Build-Depends: swig” (Closes: #817002)
-- James McCoy <email address hidden> Mon, 14 Mar 2016 00:34:52 -0400
-
subversion (1.9.3-2) unstable; urgency=medium
* Remove -Wdate-time from CPPFLAGS passed to swig. (Closes: #809054)
-- James McCoy <email address hidden> Fri, 15 Jan 2016 22:45:33 -0500
-
subversion (1.9.3-1) unstable; urgency=high
* New upstream release.
+ Security fixes
- CVE-2015-5259: Heap overflow and out-of-bounds read in svn:// protocol
parser
- CVE-2015-5343: Heap overflow and out-of-bounds read in mod_dav_svn
+ Fix dumps of no-op changes with “svnadmin dump”. (Closes: #803725)
+ Fix segfault when performing a diff when repository is on server root.
(Closes: #802611)
+ Fix translations of commit notifications. (Closes: #802156)
+ Fix authz with mod_auth_ntlm/mod_auth_kerb. (Closes: #797216)
+ Restore reporting (un)lock errors as failures. (Closes: #796781)
-- James McCoy <email address hidden> Tue, 15 Dec 2015 20:26:57 -0500
-
subversion (1.9.2-3) unstable; urgency=medium
* Re-enable libsvn-java on kfreebsd-*.
* Ensure swig2.0 is used to avoid build failures, until upstream figures
out how to work with swig >= 3.0. (Closes: #804389)
* Fix FTBFS with Ruby 2.2 (Closes: #803589)
+ Add ruby-frozen-nil patch to create a new Object instead of trying to
make modifications to the nil object.
+ Add ruby-test-unit patch to be compatible with the ruby-test-unit gem as
well as the older test-unit API provided by minitest.
-- James McCoy <email address hidden> Mon, 09 Nov 2015 19:22:18 -0500
-
subversion (1.9.2-2) unstable; urgency=medium
* Fix FTBFS with older Ruby versions by using RbConfig['vendorarchdir'] to
find the .a/.la files we're deleting.
-- James McCoy <email address hidden> Sun, 18 Oct 2015 22:10:03 -0400
-
subversion (1.9.2-1) unstable; urgency=medium
* New upstream release
+ Fix crash when saving credentials in kwallet. (Closes: #736879,
LP: #563179)
-- James McCoy <email address hidden> Wed, 23 Sep 2015 21:27:15 -0400
-
subversion (1.9.1-1) unstable; urgency=medium
* New upstream release
+ Remove direct use of svn_fs_open2 from libsvn_fs_x, thus fixing the
missing svn_fs_open2 symbol. (Closes: #795160)
* Enable gpg verification of new releases.
* Rename bash-completion file to svn and add symlinks for all other commands
which have completion. (Closes: #797648)
* debian/tests/libapache2-mod-svn: Stop apache2 before ending the test, to
avoid leaving stray processes running.
-- James McCoy <email address hidden> Mon, 07 Sep 2015 19:21:22 -0400
-
subversion (1.9.0-1) unstable; urgency=medium
* Upload to unstable
* New upstream release.
+ Security fixes
- CVE-2015-3184: Mixed anonymous/authenticated path-based authz with
httpd 2.4
- CVE-2015-3187: svn_repos_trace_node_locations() reveals paths hidden
by authz
* Add >= 2.7 requirement for python-all-dev Build-Depends, needed to run
tests.
* Remove Build-Conflicts against ruby-test-unit. (Closes: #791844)
* Remove patches/apache_module_dependency in favor of expressing the
dependencies in authz_svn.load/dav_svn.load.
* Build-Depend on apache2-dev (>= 2.4.16) to ensure ap_some_authn_required()
is available when building mod_authz_svn and Depend on apache2-bin (>=
2.4.16) for runtime support.
-- James McCoy <email address hidden> Fri, 07 Aug 2015 21:32:47 -0400
-
subversion (1.8.13-1+deb9u1) stretch; urgency=medium
* Add (Build-)Depends on apache2 packages necessary for security fixes.
* patches/CVE-2015-3814: Mixed anonymous/authenticated path-based authz with
httpd 2.4
* patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals path
hidden by authz
-- James McCoy <email address hidden> Wed, 12 Aug 2015 20:31:26 -0400
-
subversion (1.8.13-1) unstable; urgency=medium
* New upstream release. Refresh patches.
- Remove backported patches CVE-2014-8108, CVE-2014-3580, CVE-2015-0202,
CVE-2015-0248, CVE-2015-0251, ruby2.0-build-fixes, and
test-failure-with-optimizations.
* Add patches wc-queries-test1-r1672295 and wc-queries-test2-r1673691, from
upstream, to fix wc-queries test failures with new SQLite versions.
(Closes: #785496)
-- James McCoy <email address hidden> Fri, 22 May 2015 02:43:09 -0400
-
subversion (1.8.10-6) unstable; urgency=high
* patches/CVE-2015-0202: Excessive memory use with certain REPORT requests
against mod_dav_svn with FSFS repositories
* patches/CVE-2015-0248: Assertion DoS vulnerability for certain mod_dav_svn
and svnserve requests with dynamically evaluated revision numbers
* patches/CVE-2015-0251: mod_dav_svn allows spoofing svn:author property
values for new revisions
-- James McCoy <email address hidden> Tue, 31 Mar 2015 22:51:18 -0400
