On Thu, Oct 26, 2023 at 7:36 PM Mark Phippard <markp...@gmail.com> wrote:
> On Thu, Oct 26, 2023 at 9:59 AM Nathan Hartman <hartman.nat...@gmail.com> > wrote: > >> > >> -------- Forwarded Message -------- > > > > (snip headers) > >> > >> > >> Hello Users Community, > >> > >> Hope you are doing great. > >> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get > ( > >> From Ubuntu package ) and also installed libapache2-mod-svn. > >> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking > if I > >> use apt-get upgrade subversion will automatically upgrade Subversion to > >> 1.14 and also upgrade the library. > > > > > > > > Not by default (however see below): Generally, once a Ubuntu release > line like 20.04.x is made, software in the Ubuntu package repositories will > get only bug fixes and security fixes, not new features. This means that > the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using > the default package repositories. > > > > However, it is likely that Ubuntu's backports repositories have the > newer Subversion 1.14.x releases. The backports repositories are the > preferred way to install newer releases of software packages on older > releases of Ubuntu. > > I would add that I do not believe there are compelling reasons to > upgrade from 1.13 to 1.14 if your distro hasn't. I would recommend > sticking with what your distro is providing unless there is some > highly compelling reason to install your own package. This is > especially true on a server. > > If you really have a need for 1.14, I would upgrade your entire distro > to a version that provides it. > > Mark > Hello Mark, As per my understanding, Subversion 1.13 is no longer supported and no security patches have been released for the following items in Subversion 1.13. - CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash. - CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server. - CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server. - CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash. This is the reason why I am looking for an upgrade to Subversion 1.14.5 Thank you.
