[Bug 1915698] Re: Apache Subversion "mod_authz_svn" Denial of Service Vulnerability
Seth Arnold
1915698 at bugs.launchpad.net
Fri Feb 19 21:44:54 UTC 2021
Probably the change from Subversion 1.13 to 1.14 is larger than the
stable-release-update team would be willing to work with. However, I
can't speak for them; here's the wiki page describing the process for
performing updates on packages after release:
https://wiki.ubuntu.com/StableReleaseUpdates
I suggest having a conversation about it with the sru team before
starting to work on it.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subversion in Ubuntu.
https://bugs.launchpad.net/bugs/1915698
Title:
Apache Subversion "mod_authz_svn" Denial of Service Vulnerability
Status in subversion package in Ubuntu:
Confirmed
Bug description:
An error in the mod_authz_svn module can be exploited to trigger a
NULL pointer dereference and subsequently cause a crash via a
specially crafted request.
Successful exploitation of this vulnerability requires the Apache
HTTPD server to be configured to use an in-repository authz file with
certain configuration directives (please see the vendor's advisory for
further details).
The vulnerability is reported in versions 1.9.0 through 1.10.6 and
1.11.0 through 1.14.0.
Affected Software
The following software is affected by the described vulnerability.
Please check the vendor links below to see if exactly your version is
affected.
Apache Subversion 1.x
Solution
Update to version 1.14.1 or 1.10.7.
References
1. https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
<https://subversion.apache.org/security/CVE-2020-17525-advisory.txt>
Please take appropriate measures.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1915698/+subscriptions
More information about the foundations-bugs
mailing list