-
subversion (1.6.6dfsg-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via baselined WebDAV resource
request
- debian/patches/CVE-2011-1752.patch: disallow GETs of baselined
versions of resources in subversion/mod_dav_svn/repos.c.
- CVE-2011-1752
* SECURITY UPDATE: mod_dav_svn resource exhaustion via infinite loop
- debian/patches/CVE-2011-1783.patch: validate path in
subversion/libsvn_repos/authz.c.
- CVE-2011-1783
* SECURITY UPDATE: mod_dav_svn permissions bypass via incorrect
resource URL
- debian/patches/CVE-2011-1921.patch: validate path in
subversion/mod_dav_svn/authz.c.
- CVE-2011-1921
-- Marc Deslauriers <email address hidden> Thu, 02 Jun 2011 13:27:51 -0400
-
subversion (1.6.6dfsg-2ubuntu1.2) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via request containing lock token
- debian/patches/CVE-2011-0715.patch: correctly handle locks being
passed when authn isn't enabled in subversion/mod_dav_svn/repos.c,
subversion/mod_dav_svn/version.c.
- CVE-2011-0715
-- Marc Deslauriers <email address hidden> Mon, 21 Mar 2011 15:10:54 -0400
-
subversion (1.6.6dfsg-2ubuntu1.1) lucid-security; urgency=low
* SECURITY UPDATE: restriction bypass via named repo as a rule scope
- debian/patches/CVE-2010-3315.patch: use repo_basename in
subversion/mod_dav_svn/authz.c.
- CVE-2010-3315
* SECURITY UPDATE: denial of service via SVNParentPath walking
- debian/patches/CVE-2010-4539.patch: don't try and walk SVNParentPath
collection in subversion/mod_dav_svn/repos.c.
- CVE-2010-4539
* SECURITY UPDATE: denial of service via -g memory leaks
- debian/patches/CVE-2010-4644.patch: improve logic in
subversion/libsvn_repos/rev_hunt.c.
- CVE-2010-4644
-- Marc Deslauriers <email address hidden> Fri, 14 Jan 2011 12:36:43 -0600
-
subversion (1.6.6dfsg-2ubuntu1) lucid; urgency=low
* Merge from debian unstable (LP: #483953).
Includes enabling kwallet support (LP: #481792, #466078).
Remaining changes:
- Create pot file on build.
- Build a python-subversion-dbg package.
- (Build-)depend on default-jre-headless/-jdk.
- Do not apply java-build patch.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
- Disable the serf backend because serf is in universe.
* Amend the XS-Python-Version line to ">= 2.4" rather than explicit
versions (only building for 2.6 in Lucid since that is the onl Python in
Lucid).
subversion (1.6.6dfsg-2) unstable; urgency=low
* Update svn-bisect (Closes: #535234), fix bugs, add features,
and write a manpage. Also mention it in the subversion-tools
Description. (Closes: #535187)
* Move from db4.7 to db4.8, tracking apr-util. (Closes: #557457)
* Move the example XSL and CSS files for mod_dav_svn to
/usr/share/doc/libapache2-svn/examples/. (Closes: #553535)
* patches/ruby-test-info: New patch to maybe address a FTBFS. (#545372)
Thanks Michael Diers, Joe Swatosh and Stefan Sperling. I expect that
this is not the only fix needed, but we shall see.
* patches/16x-po: New patch: a couple translation updates from 1.6.7.
* libsvn-java: depend on ${shlibs:Depends}, thanks Lintian.
* python-subversion: Update an outdated Lintian override.
* libsvn1: Add a handful of Lintian overrides.
subversion (1.6.6dfsg-1) unstable; urgency=low
* New upstream release.
- Reintroduce svn_load_dirs.pl: Dolby has agreed to an explicit free
software license. Thanks Blair Zajac for following up on this.
- patches/ruby-test-core: New patch from upstream to fix a new failure
in the ruby testsuite.
* Standards-Version 3.8.3 (no changes).
* control: Some housecleaning: remove some Conflicts/Replaces/Provides
that haven't been needed since etch.
* patches/build-fixes: add a small fix for parallel builds.
(Closes: #531369, #543110)
* patches/svn2cl-upstream: New patch to fix the XSL to better comply
with XML standards. (Closes: #546990)
* Enable kwallet support. (Closes: #539564)
- patches/kwallet-wid: New patch based very loosely on upstream work, to
let the kwallet library know your terminal's Window ID, if available.
- patches/apr-abi, patches/rpath: Fix the LINK_CXX target, now that
we're finally using it.
* Set dependency_libs='' in all .la files (Closes: #544877), as per:
http://lists.debian.org/debian-devel/2009/08/msg00783.html
-- Max Bowsher <email address hidden> Fri, 11 Dec 2009 23:48:13 +0000
-
subversion (1.6.5dfsg-1ubuntu1) karmic; urgency=low
* Merge from debian unstable (LP: #406245), remaining changes:
- Create pot file on build.
- Build a python-subversion-dbg package.
- (Build-)depend on default-jre-headless/-jdk.
- Do not apply java-build patch.
- Don't build for python2.4, not in main.
- debian/rules: Manually create the doxygen output directory, otherwise
we get weird build failures when running parallel builds.
* Disable the serf backend because serf is in universe.
subversion (1.6.5dfsg-1) unstable; urgency=low
* New upstream release.
- Resolves symlinks in ~/.subversion. (Closes: #541202)
* patches/ssh-no-controlmaster: Replace with the much simpler approach
upstream demonstrates with 'ssh -q'.
* patches/no-dbus-spam: New patch to shut up the gnome-keyring library
when it can't initialize. (Closes: #542403)
* patches/ruby-test-tree-conflicts: New patch from upstream trunk, to
fix two ruby test failures.
subversion (1.6.4dfsg-1) unstable; urgency=high
* New upstream security release.
- Fix CVE-2009-2411, heap overflows in svndiff stream parsing.
subversion (1.6.3dfsg-1) unstable; urgency=low
* New upstream release.
* Update package sections corresponding to recent ftpmaster work.
* Re-enable libsvn_ra_serf, now that serf 0.3.0-0.2 is available.
* Add symbols file for libsvn1, for finer-grained dependencies.
-- Anders Kaseorg <email address hidden> Mon, 24 Aug 2009 19:09:22 -0400