Debian Bug report logs -
#982464
subversion: CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion mod_authz_svn
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Feb 2021 14:39:02 UTC
Severity: grave
Tags: security, upstream
Found in versions subversion/1.14.0-3, subversion/1.10.4-1, subversion/1.10.4-1+deb10u1
Fixed in version subversion/1.14.1-1
Done: James McCoy <jamessan@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, James McCoy <jamessan@debian.org>:
Bug#982464; Package src:subversion.
(Wed, 10 Feb 2021 14:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, James McCoy <jamessan@debian.org>.
(Wed, 10 Feb 2021 14:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: subversion
Version: 1.14.0-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.10.4-1+deb10u1
Control: found -1 1.10.4-1
Hi,
The following vulnerability was published for subversion.
CVE-2020-17525[0]:
| Remote unauthenticated denial-of-service in Subversion mod_authz_svn
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-17525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17525
[1] https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Regards,
Salvatore
Marked as found in versions subversion/1.10.4-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 10 Feb 2021 14:39:04 GMT) (full text, mbox, link).
Marked as found in versions subversion/1.10.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 10 Feb 2021 14:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#982464; Package src:subversion.
(Wed, 10 Feb 2021 20:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James McCoy <jamessan@debian.org>:
Extra info received and forwarded to list.
(Wed, 10 Feb 2021 20:21:03 GMT) (full text, mbox, link).
Message #14 received at 982464@bugs.debian.org (full text, mbox, reply):
On Wed, Feb 10, 2021 at 03:36:11PM +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for subversion.
>
> CVE-2020-17525[0]:
> | Remote unauthenticated denial-of-service in Subversion mod_authz_svn
I'll have uploads ready for this tonight to both sid and buster. I'll
send the debdiff for review before uploading to buster-security.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
Information forwarded
to debian-bugs-dist@lists.debian.org, James McCoy <jamessan@debian.org>:
Bug#982464; Package src:subversion.
(Wed, 10 Feb 2021 20:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to James McCoy <jamessan@debian.org>.
(Wed, 10 Feb 2021 20:24:02 GMT) (full text, mbox, link).
Message #19 received at 982464@bugs.debian.org (full text, mbox, reply):
Hi James,
On Wed, Feb 10, 2021 at 03:20:22PM -0500, James McCoy wrote:
> On Wed, Feb 10, 2021 at 03:36:11PM +0100, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for subversion.
> >
> > CVE-2020-17525[0]:
> > | Remote unauthenticated denial-of-service in Subversion mod_authz_svn
>
> I'll have uploads ready for this tonight to both sid and buster. I'll
> send the debdiff for review before uploading to buster-security.
Ack, thank you!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#982464; Package src:subversion.
(Thu, 11 Feb 2021 01:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James McCoy <jamessan@debian.org>:
Extra info received and forwarded to list.
(Thu, 11 Feb 2021 01:51:03 GMT) (full text, mbox, link).
Message #24 received at 982464@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Feb 10, 2021 at 09:21:54PM +0100, Salvatore Bonaccorso wrote:
> Hi James,
>
> On Wed, Feb 10, 2021 at 03:20:22PM -0500, James McCoy wrote:
> > On Wed, Feb 10, 2021 at 03:36:11PM +0100, Salvatore Bonaccorso wrote:
> > > The following vulnerability was published for subversion.
> > >
> > > CVE-2020-17525[0]:
> > > | Remote unauthenticated denial-of-service in Subversion mod_authz_svn
> >
> > I'll have uploads ready for this tonight to both sid and buster. I'll
> > send the debdiff for review before uploading to buster-security.
>
> Ack, thank you!
Buster debdiff attached.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
[subversion_1.10.4-1+deb10u2.debdiff (text/plain, attachment)]
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Thu, 11 Feb 2021 03:21:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 11 Feb 2021 03:21:06 GMT) (full text, mbox, link).
Message #29 received at 982464-close@bugs.debian.org (full text, mbox, reply):
Source: subversion
Source-Version: 1.14.1-1
Done: James McCoy <jamessan@debian.org>
We believe that the bug you reported is fixed in the latest version of
subversion, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 982464@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated subversion package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Feb 2021 21:17:14 -0500
Source: subversion
Architecture: source
Version: 1.14.1-1
Distribution: unstable
Urgency: high
Maintainer: James McCoy <jamessan@debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 982084 982464
Changes:
subversion (1.14.1-1) unstable; urgency=high
.
* Update to new upstream version 1.14.1.
+ Fix FTBFS with OpenJDK 17 (Closes: #982084)
+ Security fix:
- CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn (Closes: #982464)
Checksums-Sha1:
5bccc10ab2656cd1582ffb2d6d35ccc7df40d605 3807 subversion_1.14.1-1.dsc
0cb09f8746a7ec0958f9c4dc67bdd2293fa9f859 11534165 subversion_1.14.1.orig.tar.gz
ca34f173ed0890b0168c04e6846d9995b23a30f1 1288 subversion_1.14.1.orig.tar.gz.asc
a3ba357a0072e0ced4ab7e3fbce059d179524d17 429692 subversion_1.14.1-1.debian.tar.xz
Checksums-Sha256:
56fef3f578fe9a0aa0535bfe8759fe6d2d88db89d8f64b1be61489c441b6dff9 3807 subversion_1.14.1-1.dsc
dee2796abaa1f5351e6cc2a60b1917beb8238af548b20d3e1ec22760ab2f0cad 11534165 subversion_1.14.1.orig.tar.gz
4dafc04642e634f3b75d70d3d707ba8eacc63a4925026402afcb94566f445fa6 1288 subversion_1.14.1.orig.tar.gz.asc
7f56c327762c153a39e7c08a27d5c675c692a63ea03f2b44109803800b8e43b7 429692 subversion_1.14.1-1.debian.tar.xz
Files:
da2a70c6d10585d613330252a450a034 3807 vcs optional subversion_1.14.1-1.dsc
979fa7480964bd7ebae68558d1de49aa 11534165 vcs optional subversion_1.14.1.orig.tar.gz
3b2f684ec0e018a6107ebda8afe33705 1288 vcs optional subversion_1.14.1.orig.tar.gz.asc
2789d5936dd642b371d76ada815098b9 429692 vcs optional subversion_1.14.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAmAkm4dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu
QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9tulBAAwW2yaMfbesIFq3rJv5X3Dg8P6/t4
kdcCkqiI1lpEXRHYa3ASBVRUqlb+KQGZvjmwLKMquNXVeXmAiA7GUjAAJdUf4Eg/
zJPUU041zV00g4vzFbpL3ws312/fYdRmKp9kIl2mQ3jufnC4B3VZRGU0Ys1rJGzp
1TTisj179UxiJhddjd+0YpXgmI29TxjgYaj9pXmTeYhs8mU/s9Du8tnktduiwt40
BRye9+R4wjLG7KRmv+emOP3GpcJ0OKxe/dxqWm1J2biVyRukapxCFKtt/4spdfoo
FGfpwHy3f22+xB4K6j8zrDNfkgb0Y6EmaBjI+EFLkaifKV5t0jO57lkF+pY+6qy7
RGUnsaCOpNuYZNON3Q/IBzMyerLS9+TeinsnWl/271nEBIHLNWmnvk6v0z5Og/H/
1Uq8quDXLcmZwy9lNI44xanq3bVqZLnsMFTW6CThIgt2ZX7uZ9Ow/2yp6ymCl2y3
64eZeTdoEsisevQoyjYURrwUW9t49zQKdMwrhktpcR+eXmwrv+UUWy3gvOGhF2wG
Bj39LwzAgobnOHKkunJ1ECYAgm2W6zNGYDij2z9vPv3EtVrFcjGxnWP4upA9UvIq
51kOptDgu49U/ikJl3HHGYDufheaZWrazu7nVbITEKiUV0JHyry5VVqhlB7vVSCK
p1CXBdXT1a7SoL4=
=Uixt
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, James McCoy <jamessan@debian.org>:
Bug#982464; Package src:subversion.
(Thu, 11 Feb 2021 05:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to James McCoy <jamessan@debian.org>.
(Thu, 11 Feb 2021 05:24:05 GMT) (full text, mbox, link).
Message #34 received at 982464@bugs.debian.org (full text, mbox, reply):
Hi James,
On Wed, Feb 10, 2021 at 08:49:39PM -0500, James McCoy wrote:
> On Wed, Feb 10, 2021 at 09:21:54PM +0100, Salvatore Bonaccorso wrote:
> > Hi James,
> >
> > On Wed, Feb 10, 2021 at 03:20:22PM -0500, James McCoy wrote:
> > > On Wed, Feb 10, 2021 at 03:36:11PM +0100, Salvatore Bonaccorso wrote:
> > > > The following vulnerability was published for subversion.
> > > >
> > > > CVE-2020-17525[0]:
> > > > | Remote unauthenticated denial-of-service in Subversion mod_authz_svn
> > >
> > > I'll have uploads ready for this tonight to both sid and buster. I'll
> > > send the debdiff for review before uploading to buster-security.
> >
> > Ack, thank you!
>
> Buster debdiff attached.
Looks good to me. Did you got an explicit chance to test the issue
triggering setup? In any case please feel free to upload to
security-master.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Feb 11 08:02:09 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon