-
subversion (1.8.10-5ubuntu1.1) vivid-security; urgency=medium
* SECURITY UPDATE: denial of service via large number of REPORT requests
- debian/patches/CVE-2015-0202.patch: refactor locking in
subversion/libsvn_fs_fs/tree.c.
- CVE-2015-0202
* SECURITY UPDATE: denial of service via crafted parameter combinations
- debian/patches/CVE-2015-0248.patch: properly handle missing revision
numbers in subversion/mod_dav_svn/reports/get-location-segments.c,
subversion/svnserve/serve.c.
- CVE-2015-0248
* SECURITY UPDATE: svn:author property spoofing issue
- debian/patches/CVE-2015-0251.patch: restrict svn:author modifications
in subversion/mod_dav_svn/deadprops.c.
- CVE-2015-0251
* SECURITY UPDATE: incorrect anonymous access restriction
- debian/patches/CVE-2015-3184.patch: use force_authn() in Makefile.in,
build/ac-macros/apache.m4, build/run_tests.py,
subversion/mod_authz_svn/mod_authz_svn.c,
subversion/tests/cmdline/README,
subversion/tests/cmdline/davautocheck.sh,
subversion/tests/cmdline/mod_authz_svn_tests.py,
subversion/tests/cmdline/svntest/main.py, win-tests.py.
- CVE-2015-3184
* SECURITY UPDATE: sensitive path information disclosure
- debian/patches/CVE-2015-3187.patch: fix order in
subversion/libsvn_repos/rev_hunt.c, added tests to
subversion/tests/cmdline/authz_tests.py,
subversion/tests/libsvn_repos/repos-test.c.
- CVE-2015-3187
* debian/control: Depend on specific version of apache2-dev and
apache2-bin to make sure fix for CVE-2015-3185 is included.
-- Marc Deslauriers <email address hidden> Wed, 19 Aug 2015 12:38:31 -0400
-
subversion (1.8.10-5ubuntu1) vivid; urgency=medium
* Resynchronise with Debian. Remaining changes:
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-all-dbg.
- Only build on requested python versions (X-Python-Versions:).
- debian/patches/verbose-tests.diff: Make tests verbose.
subversion (1.8.10-5) unstable; urgency=medium
* patches/CVE-2014-8108: mod_dav_svn DoS vulnerability with invalid virtual
transaction names (Closes: #773315)
* patches/CVE-2014-3580: mod_dav_svn DoS vulnerability with invalid REPORT
requests (Closes: #773263)
-- Colin Watson <email address hidden> Sun, 04 Jan 2015 21:49:36 +0000
-
subversion (1.8.10-4ubuntu1) vivid; urgency=medium
* Resynchronise with Debian. Remaining changes:
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Build a python-subversion-dbg package.
- Build-depend on python-all-dbg.
- Only build on requested python versions (X-Python-Versions:).
- debian/patches/verbose-tests.diff: Make tests verbose.
subversion (1.8.10-4) unstable; urgency=medium
* control: Use "dh_install --list-missing" instead of --fail-missing to
avoid a FTBFS with parallel builds. (Closes: #768903)
subversion (1.8.10-3) unstable; urgency=medium
* Add a NEWS item describing that 1.7.x and later do not support having a
working copy which spans multiple filesystems. (Closes: #766285)
* rules: Needs more MAN3EXT so generated swig-pl Makefile never installs
files to debian/tmp with wrong extensions.
* Move some less frequently used tools to subversion-tools and include the
fsfs-* tools. (Closes: #764689)
* Switch from specifying gcj as the Java implementation to default-jdk.
(Closes: #737527, #421400)
- Remove patches/java-build
subversion (1.8.10-2) unstable; urgency=medium
* Add patches/test-failure-with-optimizations from upstream to fix test
failures with certain build configurations. (Closes: #757773)
* Add patches/libtoolize from upstream to support the Multi-Arch libtool
packaging. (Closes: #761789)
-- Colin Watson <email address hidden> Mon, 17 Nov 2014 14:33:52 +0000
-
subversion (1.8.10-1ubuntu2) utopic; urgency=medium
* Rebuild for Perl 5.20.0.
-- Colin Watson <email address hidden> Thu, 21 Aug 2014 13:52:59 +0100