Debian Bug report logs -
#608989
CVE-2010-4539: mod_dav_svn DoS
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 5 Jan 2011 09:12:01 UTC
Severity: important
Tags: pending, security
Fixed in version subversion/1.6.12dfsg-4
Done: Peter Samuelson <peter@p12n.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#608989; Package subversion.
(Wed, 05 Jan 2011 09:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Peter Samuelson <peter@p12n.org>.
(Wed, 05 Jan 2011 09:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: subversion
Severity: important
Tags: security
Hi,
please see http://www.openwall.com/lists/oss-security/2011/01/04/8
I noticed that you already fixed the [B] (no CVE yet) issue in your
1.6.12dfsg-3 upload in sid/squeeze.
Could you please also upload a fix for CVE-2010-4539 and ask
for an unblock with release managers?
http://svn.apache.org/viewvc?view=revision&revision=1033166
Cheers,
Moritz
Added tag(s) pending.
Request was from peters@users.alioth.debian.org
to control@bugs.debian.org.
(Wed, 05 Jan 2011 17:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#608989; Package subversion.
(Wed, 05 Jan 2011 19:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list.
(Wed, 05 Jan 2011 19:42:03 GMT) (full text, mbox, link).
Message #12 received at 608989@bugs.debian.org (full text, mbox, reply):
[Moritz Muehlenhoff]
> please see http://www.openwall.com/lists/oss-security/2011/01/04/8
>
> I noticed that you already fixed the [B] (no CVE yet) issue in your
> 1.6.12dfsg-3 upload in sid/squeeze.
...And now it's been assigned CVE-2010-4644, so I've edited
debian/changelog accordingly.
> Could you please also upload a fix for CVE-2010-4539 and ask
> for an unblock with release managers?
Yes, sorry, I missed that issue when looking through svn 1.6.15 changes
to push to squeeze. I'll upload 1.6.12dfsg-4 shortly with this patch
in it, and will work with debian-release on it.
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
Reply sent
to Peter Samuelson <peter@p12n.org>:
You have taken responsibility.
(Wed, 05 Jan 2011 22:06:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Wed, 05 Jan 2011 22:06:11 GMT) (full text, mbox, link).
Message #17 received at 608989-close@bugs.debian.org (full text, mbox, reply):
Source: subversion
Source-Version: 1.6.12dfsg-4
We believe that the bug you reported is fixed in the latest version of
subversion, which is due to be installed in the Debian FTP archive:
libapache2-svn_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libapache2-svn_1.6.12dfsg-4_amd64.deb
libsvn-dev_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libsvn-dev_1.6.12dfsg-4_amd64.deb
libsvn-doc_1.6.12dfsg-4_all.deb
to main/s/subversion/libsvn-doc_1.6.12dfsg-4_all.deb
libsvn-java_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libsvn-java_1.6.12dfsg-4_amd64.deb
libsvn-perl_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libsvn-perl_1.6.12dfsg-4_amd64.deb
libsvn-ruby1.8_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libsvn-ruby1.8_1.6.12dfsg-4_amd64.deb
libsvn-ruby_1.6.12dfsg-4_all.deb
to main/s/subversion/libsvn-ruby_1.6.12dfsg-4_all.deb
libsvn1_1.6.12dfsg-4_amd64.deb
to main/s/subversion/libsvn1_1.6.12dfsg-4_amd64.deb
python-subversion_1.6.12dfsg-4_amd64.deb
to main/s/subversion/python-subversion_1.6.12dfsg-4_amd64.deb
subversion-tools_1.6.12dfsg-4_all.deb
to main/s/subversion/subversion-tools_1.6.12dfsg-4_all.deb
subversion_1.6.12dfsg-4.diff.gz
to main/s/subversion/subversion_1.6.12dfsg-4.diff.gz
subversion_1.6.12dfsg-4.dsc
to main/s/subversion/subversion_1.6.12dfsg-4.dsc
subversion_1.6.12dfsg-4_amd64.deb
to main/s/subversion/subversion_1.6.12dfsg-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 608989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Samuelson <peter@p12n.org> (supplier of updated subversion package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 05 Jan 2011 10:43:01 -0600
Source: subversion
Binary: subversion libsvn1 libsvn-dev libsvn-doc libapache2-svn python-subversion subversion-tools libsvn-java libsvn-perl libsvn-ruby1.8 libsvn-ruby
Architecture: source all amd64
Version: 1.6.12dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Peter Samuelson <peter@p12n.org>
Changed-By: Peter Samuelson <peter@p12n.org>
Description:
libapache2-svn - Subversion server modules for Apache
libsvn-dev - Development files for Subversion libraries
libsvn-doc - Developer documentation for libsvn
libsvn-java - Java bindings for Subversion
libsvn-perl - Perl bindings for Subversion
libsvn-ruby - Ruby bindings for Subversion (dummy package)
libsvn-ruby1.8 - Ruby bindings for Subversion
libsvn1 - Shared libraries used by Subversion
python-subversion - Python bindings for Subversion
subversion - Advanced version control system
subversion-tools - Assorted tools related to Subversion
Closes: 608925 608989
Changes:
subversion (1.6.12dfsg-4) unstable; urgency=high
.
* patches/loosen-sqlite-version-check: New patch: Relax the SQLite
version check, to match the Debian sqlite3 packaging.
(Closes: #608925)
* patches/cve-2010-4539: New patch for CVE-2010-4539, fixing a remotely
triggered crash in mod_dav_svn involving use of the SVNParentPath
feature. (Closes: #608989)
Checksums-Sha1:
e11315b1be5acbbec4c6b6b1050eeca33323c120 1942 subversion_1.6.12dfsg-4.dsc
2bd688f9b045d349faf497d51faf115897d23a80 105534 subversion_1.6.12dfsg-4.diff.gz
507a5e834ab9f44b69a7817967254a2f16054ebd 1966766 libsvn-doc_1.6.12dfsg-4_all.deb
6f12aa8e9c1e0a171dcc6dc4edf97d4d7058840b 223296 subversion-tools_1.6.12dfsg-4_all.deb
27f28b6fbddd478e00398361c9f02905993ca7d1 756 libsvn-ruby_1.6.12dfsg-4_all.deb
bff5ff6ce73b12685b2beaf116e3d2b7b6e87525 1317060 subversion_1.6.12dfsg-4_amd64.deb
202b5f590e8c282476361ad7cd9f02d142d645cf 983978 libsvn1_1.6.12dfsg-4_amd64.deb
7739b95bab64b50f5d540ad0de3362f8bcdd5c1d 1357506 libsvn-dev_1.6.12dfsg-4_amd64.deb
0840f67805f4cd0e9d6e16c96e4e1a210a5f118d 169254 libapache2-svn_1.6.12dfsg-4_amd64.deb
b0206a2eaae71965d5bcdeb901b00f1631950d70 1327214 python-subversion_1.6.12dfsg-4_amd64.deb
ce30e5389afbb1c98ca82eede52939ebb90212bc 307288 libsvn-java_1.6.12dfsg-4_amd64.deb
a87fd3f94b1e681501dd19f4b1563984a58eb5db 1178354 libsvn-perl_1.6.12dfsg-4_amd64.deb
9035a4d0864fbd93a185b19f3fbc0f8e1db453e0 612270 libsvn-ruby1.8_1.6.12dfsg-4_amd64.deb
Checksums-Sha256:
a29b8fcabbdb78ac782c2645c92098797e54a6bb96b79eda043af7895fda7086 1942 subversion_1.6.12dfsg-4.dsc
50fc78867a999469fed6d835f2f13e256ff450de150269f3969a66f952116388 105534 subversion_1.6.12dfsg-4.diff.gz
45cab6d8c7123b65e6b606b9693836aa20f1d69d80e04e7466abf5ecfd80b3cd 1966766 libsvn-doc_1.6.12dfsg-4_all.deb
1a342b20eb5a96844ac267361de2cba34fc7295ad07b867369f71d2170090143 223296 subversion-tools_1.6.12dfsg-4_all.deb
6fea39f4858e6e131ca120aaf2f42153698712aa021eeea05c5f2bb7bbfdc451 756 libsvn-ruby_1.6.12dfsg-4_all.deb
a6f8a2b0689a2a7cd07260f99dae73f015c04288a5847fc7e4d7d7ca4f62718d 1317060 subversion_1.6.12dfsg-4_amd64.deb
58101fe8e54f7bc9f300b581e1b4d49d180c2ce9cdf7952d0d5f7cd9cd0fc90b 983978 libsvn1_1.6.12dfsg-4_amd64.deb
062980393c21a2ecef4bf2fe6e2a116e0bb4b08021d291cf5842d02ef183f4df 1357506 libsvn-dev_1.6.12dfsg-4_amd64.deb
38f3435a1780510d99c396a143bc522050f5906ae7730df4dae8e5e3615a9471 169254 libapache2-svn_1.6.12dfsg-4_amd64.deb
4693290e44930059621f2e416000d44ff2e087870e911767d489c16e9d883856 1327214 python-subversion_1.6.12dfsg-4_amd64.deb
b53f752621528897e7fc948a9affc082025dd3d3f11d96868e5bcf6e5c2cf66b 307288 libsvn-java_1.6.12dfsg-4_amd64.deb
39f211141e14dbdebdd8faf681debd592c17a2088529eb8dd76520ed3de8e058 1178354 libsvn-perl_1.6.12dfsg-4_amd64.deb
72aea7eed3ff68ab61ce73c0984fe59267eaece1f2d04e263aaecb51a7b2273e 612270 libsvn-ruby1.8_1.6.12dfsg-4_amd64.deb
Files:
211ddb0040f7a9c594990c5ad06ce94e 1942 vcs optional subversion_1.6.12dfsg-4.dsc
56d33a4f5b146689da5f43ecdbbe1303 105534 vcs optional subversion_1.6.12dfsg-4.diff.gz
96b261c0b37b59eead44db97565fc24d 1966766 doc extra libsvn-doc_1.6.12dfsg-4_all.deb
5e236ca50bcecc5cf5e8431074d4ae4e 223296 vcs extra subversion-tools_1.6.12dfsg-4_all.deb
b66dbaf0a65274a65885ad14044779f4 756 ruby optional libsvn-ruby_1.6.12dfsg-4_all.deb
5e2055927a0d8d62006ea9ca853dc347 1317060 vcs optional subversion_1.6.12dfsg-4_amd64.deb
7042a05d9934547edcbd2891b277abc4 983978 vcs optional libsvn1_1.6.12dfsg-4_amd64.deb
c58afb9f85073f45b1effeed7126c45b 1357506 vcs extra libsvn-dev_1.6.12dfsg-4_amd64.deb
877e74dbcd2ab56373cae6585260bb08 169254 httpd optional libapache2-svn_1.6.12dfsg-4_amd64.deb
1d77c9fe1fd350e117b2c66e5a17b2e2 1327214 python optional python-subversion_1.6.12dfsg-4_amd64.deb
3198aad5c09f37377a7aeca448b095dc 307288 java optional libsvn-java_1.6.12dfsg-4_amd64.deb
82592692b75bc7077f015111bd2a9b0c 1178354 perl optional libsvn-perl_1.6.12dfsg-4_amd64.deb
1fddb403058a6264da5e21ae92c0b65e 612270 ruby optional libsvn-ruby1.8_1.6.12dfsg-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNJOZnXk7sIRPQRh0RAt80AJ98ukBcNg/veOkZYW7SbOohD/L5ngCfbQcb
3QeYrtnjH3aDryJy9Ekhy+U=
=8k90
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from mdiers-guest@users.alioth.debian.org
to control@bugs.debian.org.
(Mon, 10 Jan 2011 00:57:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 23 May 2011 07:39:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:28:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon