Package : subversion Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1752 CVE-2011-1783 CVE-2011-1921 Several vulnerabilities were discovered in Subversion, the version control system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-1752 The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources. CVE-2011-1783 The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system. CVE-2011-1921 The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.
*** Bug 1642 has been marked as a duplicate of this bug. ***
cve.mitre.org links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1921 Upstream has indicated that 1.6.17 corrects the issue, and Debian has released packages with 1.6.17. I am not finding any published POCs to test the issues. Randomly picking this as our first "official" update candidate for mga1, to walk through the process.
CC: (none) => stewbintn
Still waking up I guess. This bug raises the question of how we handle for updates. Make a first exception and bump the version, or backport patches? Debian released old versions for some releases, presumably patched, so there should be patches we can use: For the oldstable distribution (lenny), this problem has been fixed in version 1.5.1dfsg1-7. For the stable distribution (squeeze), this problem has been fixed in version 1.6.12dfsg-6.
I think bump the version, mga1 is already at 1.6.16, so just one point release. FWIW, subversion-1.6.17 has been in cauldron since 12th of June, on regressions AFAICS (i.e. I didn't see any, and no open reports in our bugzilla).
Package with patchs from debian for cve-2011-1752, cve-2011-1783, cve-2011-1921 submitted to updates_testing.
Status: NEW => ASSIGNEDCC: (none) => boklmAssignee: bugsquad => qa-bugs
From bug 1700, subversion-1.6.17 is already in 2010.1/2 main/updates, we'll have to update to that version to smooth upgrades.
Regarding Comment 6, does that mean there is a further change coming, or should testing proceed?
CC: (none) => davidwhodgins
Closing, because now things happen in bug #2239 (which was almost a duplicate but now is the one that gets the focus :)) *** This bug has been marked as a duplicate of bug 2239 ***
Status: ASSIGNED => RESOLVEDCC: (none) => stormiResolution: (none) => DUPLICATE
CC: boklm => (none)