[Bug 1915698] Re: Apache Subversion "mod_authz_svn" Denial of Service Vulnerability
Eduardo Barretto
1915698 at bugs.launchpad.net
Fri Apr 23 15:02:19 UTC 2021
If you're trying to bring latest release of subversion to Ubuntu, then
you need to check the SRU page mentioned by Seth. The SRU has its own
whole process and there will be a need for a good reason to have the SRU
approved, it is not that simple.
Ubuntu is based on delivering a stable system to users, so we don't
normally do version upgrades, instead we backport patches to fix
security issues or bugs. This avoids bringing new features and
dependencies that the package didn't have before and breaking systems.
If your concern is just regarding that security issue, CVE-2020-17525,
then try to follow the steps that I've mentioned in comment #10.
Hope it helps :)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subversion in Ubuntu.
https://bugs.launchpad.net/bugs/1915698
Title:
Apache Subversion "mod_authz_svn" Denial of Service Vulnerability
Status in subversion package in Ubuntu:
Confirmed
Bug description:
An error in the mod_authz_svn module can be exploited to trigger a
NULL pointer dereference and subsequently cause a crash via a
specially crafted request.
Successful exploitation of this vulnerability requires the Apache
HTTPD server to be configured to use an in-repository authz file with
certain configuration directives (please see the vendor's advisory for
further details).
The vulnerability is reported in versions 1.9.0 through 1.10.6 and
1.11.0 through 1.14.0.
Affected Software
The following software is affected by the described vulnerability.
Please check the vendor links below to see if exactly your version is
affected.
Apache Subversion 1.x
Solution
Update to version 1.14.1 or 1.10.7.
References
1. https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
<https://subversion.apache.org/security/CVE-2020-17525-advisory.txt>
Please take appropriate measures.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1915698/+subscriptions
More information about the foundations-bugs
mailing list