[Bug 1915698] Re: Apache Subversion "mod_authz_svn" Denial of Service Vulnerability

it0001 1915698 at bugs.launchpad.net
Fri Apr 23 13:05:31 UTC 2021 

I am trying to build the package, but I meet this error:

$bzr builddeb -- -us -uc
...
dh_auto_configure: ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking returned exit code 1
debian/rules:18: recipe for target 'binary' failed
make: *** [binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui failed
bzr: ERROR: The build failed.

I followed:
https://packaging.ubuntu.com/html/packaging-new-software.html
https://packaging.ubuntu.com/html/debian-dir-overview.html
https://svn.apache.org/repos/asf/subversion/trunk/INSTALL
https://subversion.apache.org/source-code.html


In particular, I left the rules file as it is. Any ideas how to fix this?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subversion in Ubuntu.
https://bugs.launchpad.net/bugs/1915698

Title:
  Apache Subversion "mod_authz_svn" Denial of Service Vulnerability

Status in subversion package in Ubuntu:
  Confirmed

Bug description:
  An error in the mod_authz_svn module can be exploited to trigger a
  NULL pointer dereference and subsequently cause a crash via a
  specially crafted request.

  Successful exploitation of this vulnerability requires the Apache
  HTTPD server to be configured to use an in-repository authz file with
  certain configuration directives (please see the vendor's advisory for
  further details).

  The vulnerability is reported in versions 1.9.0 through 1.10.6 and
  1.11.0 through 1.14.0.

  Affected Software

  The following software is affected by the described vulnerability.
  Please check the vendor links below to see if exactly your version is
  affected.

  Apache Subversion 1.x

  Solution

  Update to version 1.14.1 or 1.10.7.

  References

  1. https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
  <https://subversion.apache.org/security/CVE-2020-17525-advisory.txt>

  Please take appropriate measures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1915698/+subscriptions

More information about the foundations-bugs mailing list